incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabio Martelli <fabio.marte...@gmail.com>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 12:50:27 GMT

Il giorno 30/mar/2012, alle ore 14.29, Colm O hEigeartaigh ha scritto:

> Hi Bob,
> 
> I've been running into similar issues.
> 
>> - /auth/getentitlements doesn't give me the roles of the connected user
> 
> It gives you the list of entitlements associated with the roles of the
> connected user. Perhaps this controller should also have a similar
> method for returning a list of role names of the connected user as
> well?

Probably you can have required information by using UserRequestController (see below).

> A question I have is whether the list of entitlements is only for the
> child roles or all of the entitlements associated with the role
> hierarchy?

https://issues.apache.org/jira/browse/SYNCOPE-48

> 
>> - /user/read?username=user : gives me the user but only if I
>> authenticated with a user that has the possiblity to read other users
>> as well. This means I should have some kind of administration
>> connection to core instead of a user specific connection?
> 
> Yes I think so. Your Tomcat user account should have the ability to
> read users/roles etc., and you authenticate as this user. I think
> there should possibly be an "authenticateUser" method or something
> similar that takes in a username/password and returns true or false
> depending on if there is a matching user in Syncope.

You can read data about authenticated user by calling
.../syncope/rest/user/request/read/self.xml
This method is provided by the UserRequestController.

Further, you have the method verifyPassword provided by UserController that could be used
to verify userid/password.
This method, for security reason can be called only by a user with USER_READ capability. 

>> - if there are hierarchical roles, I only get the child role. I
>> suppose I have to walk the tree myself to retrieve the other roles?
>> i.e. based on response to role/list request?
> 
> IMO there should be an easy way to get all roles of the user rather
> than having to walk the tree.

Actually users have only the roles explicitly assigned.

Regards,
F.

> 
> Colm.
> 
> On Fri, Mar 30, 2012 at 12:42 PM, Bob Lannoy <bob.lannoy@gmail.com> wrote:
>> Hi,
>> 
>> suppose I have users & hierarchical roles in Syncope and an external
>> system (tomcat webapp) that needs to authenticate those users and get
>> the roles.
>> Can you give me an indication on how I would go about this?
>> 
>> I did some preliminary tests:
>> - I can do an authentication to core using basic auth, but I saw that
>> the user object also contains the hashed password of the user
>> - /auth/getentitlements doesn't give me the roles of the connected user
>> - /user/read?username=user : gives me the user but only if I
>> authenticated with a user that has the possiblity to read other users
>> as well. This means I should have some kind of administration
>> connection to core instead of a user specific connection?
>> - if there are hierarchical roles, I only get the child role. I
>> suppose I have to walk the tree myself to retrieve the other roles?
>> i.e. based on response to role/list request?
>> regards
>> 
>> Bob
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com


Mime
View raw message