incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 13:28:43 GMT
On 30/03/2012 15:25, Fabio Martelli wrote:
> Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto:
>> Hi Fabio,
>>
>>> I agree with you.
>>>
>>> In this case I'd follow the steps below:
>>> 1. authenticate the third party application with an administrator (or user with
USER_READ capability)
>>> 2. verify password by calling the method verifyPassword provided by the userController
>>>
>>> What do you think about?
>> Could we add a duplicate verifyPassword method to UserController that
>> takes the username/password instead of userId/password? The latter
>> requires the application to find the user Id first and then check the
>> password, whereas the former only requires one step to accomplish
>> third-party authentication.
> Sure! I think we must.

Actually, I think that this verifyPassword() taking userId as argument
is an ancient residual of the times where there was no username: in my
opinion the current method can be removed and a new one taking username
and password as parameters must be added.

Regards.

> On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
> <fabio.martelli@gmail.com> wrote:
>>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>>>
>>>> Hi Fabio,
>>>>
>>>>> Further, you have the method verifyPassword provided by UserController
that
>>>>> could be used to verify userid/password.
>>>>> This method, for security reason can be called only by a user with USER_READ
>>>>> capability.
>>>> Consider the use-case as mentioned by Bob, where you have a third
>>>> party application which receives login credentials and wishes to
>>>> authenticate the user, and retrieve the roles associated with that
>>>> user for authorization. If the application logs on with the received
>>>> username/password, then it is assuming that the given user has a
>>>> USER_READ entitlement. IMO the application would log on with its own
>>>> credentials, and wish to authenticate the given username/password via
>>>> some kind of "authenticateUser" method as I mentioned before.
>>>>
>>>> Do you see a use-case for this kind of functionality or am I missing something?
>>> I agree with you.
>>>
>>> In this case I'd follow the steps below:
>>> 1. authenticate the third party application with an administrator (or user with
USER_READ capability)
>>> 2. verify password by calling the method verifyPassword provided by the userController
>>>
>>> What do you think about?
>>>
>>>>> Actually users have only the roles explicitly assigned.
>>>> The question is whether it is possible to easily retrieve the
>>>> hierarchy of roles for a particular user (or the authenticated user)?
>>>>
>>>> Thanks,
>>>>
>>>> Colm.
-- 
Francesco Chicchiriccò

Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/


Mime
View raw message