Best practice for ZMI (Manager role)?

[georgpfolz]

I use PAS for my websites, of which I sometimes have more than one in a Zope instance. So I use my root user with the "Manager" role to navigate into my websites to do some configuring.

In my websites I have PAS with a protocol sniffer and a protocol chooser installed. The idea is to have the website's users using the cookie authentication while still being able to user my http-authenticated user in the ZMI (I also use webdav, that's the main reason I need the protocol chooser).

My problem is that it has become very difficult to work in the ZMI: When in one of the websites (with its own PAS installed), I have to re-login constantly with my manager-user, using the PAS login dialog.

Is there a best practice how to configure the Protocol Chooser and the Authentication plugins so as to be able to work with the root Manager user without constant interruptions?

[jugmac00]

I use two different browsers, one for my regular user, one for the root user, which authenticates via http basic auth.

[georgpfolz]

Thank you :) !

I should have come up with that solution myself... I was so fixated on the authentication methods that I didn't think about the most obvious thing to do!

[jugmac00]

Years ago, I inherited a Zope app, and there the customer facing frontend was deployed to separate (sub)domain as the ZMI. This way you could use one browser. e.g. example.com and zmi.example.com

[georgpfolz]

That's curious, I have each website and the ZMI on completely different domains, but I still have the problem when using the same browser.

[jugmac00]

Ah sorry, back then the app did not use PAS, but CookieCrumbler for auth.

[d-maurer]

I have to re-login constantly with my manager-user, using the PAS login dialog.

I interpret this as follows: I get an authentication challenge from the root PAS. According to HTTP 1.1, a browser should (but not "must") send authentication information automatically for follow up requests after a successful basic authentication. When you get an authentication request, it means that the authentication information in the request is missing or wrong.

When a higher up level PAS challenges for a lower down request, the browser might use the latter context to determine what "follow up request"s are (only those in the lower context). In some cases, this can explain why authentication information may be missing. I would use a request sniffer (--> browser development utility) to check which information is sent to Zope.

[georgpfolz]

I would use a request sniffer

I will do that. As I didn't think of it as a browser issue, I didn't test it on different browsers. I have those problems on Safari, maybe they don't even occur in other browsers.