incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabio Martelli <>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 13:17:14 GMT

Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:

> Hi Fabio,
>> Further, you have the method verifyPassword provided by UserController that
>> could be used to verify userid/password.
>> This method, for security reason can be called only by a user with USER_READ
>> capability.
> Consider the use-case as mentioned by Bob, where you have a third
> party application which receives login credentials and wishes to
> authenticate the user, and retrieve the roles associated with that
> user for authorization. If the application logs on with the received
> username/password, then it is assuming that the given user has a
> USER_READ entitlement. IMO the application would log on with its own
> credentials, and wish to authenticate the given username/password via
> some kind of "authenticateUser" method as I mentioned before.
> Do you see a use-case for this kind of functionality or am I missing something?

I agree with you.

In this case I'd follow the steps below:
1. authenticate the third party application with an administrator (or user with USER_READ
2. verify password by calling the method verifyPassword provided by the userController

What do you think about?

>> Actually users have only the roles explicitly assigned.
> The question is whether it is possible to easily retrieve the
> hierarchy of roles for a particular user (or the authenticated user)?
> Thanks,
> Colm.

View raw message