incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 13:22:44 GMT
Hi Fabio,

> I agree with you.
>
> In this case I'd follow the steps below:
> 1. authenticate the third party application with an administrator (or user with USER_READ
capability)
> 2. verify password by calling the method verifyPassword provided by the userController
>
> What do you think about?

Could we add a duplicate verifyPassword method to UserController that
takes the username/password instead of userId/password? The latter
requires the application to find the user Id first and then check the
password, whereas the former only requires one step to accomplish
third-party authentication.

Colm.

On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
<fabio.martelli@gmail.com> wrote:
>
> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>
>> Hi Fabio,
>>
>>> Further, you have the method verifyPassword provided by UserController that
>>> could be used to verify userid/password.
>>> This method, for security reason can be called only by a user with USER_READ
>>> capability.
>>
>> Consider the use-case as mentioned by Bob, where you have a third
>> party application which receives login credentials and wishes to
>> authenticate the user, and retrieve the roles associated with that
>> user for authorization. If the application logs on with the received
>> username/password, then it is assuming that the given user has a
>> USER_READ entitlement. IMO the application would log on with its own
>> credentials, and wish to authenticate the given username/password via
>> some kind of "authenticateUser" method as I mentioned before.
>>
>> Do you see a use-case for this kind of functionality or am I missing something?
>
> I agree with you.
>
> In this case I'd follow the steps below:
> 1. authenticate the third party application with an administrator (or user with USER_READ
capability)
> 2. verify password by calling the method verifyPassword provided by the userController
>
> What do you think about?
>
>>> Actually users have only the roles explicitly assigned.
>>
>> The question is whether it is possible to easily retrieve the
>> hierarchy of roles for a particular user (or the authenticated user)?
>>
>> Thanks,
>>
>> Colm.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message