incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabio Martelli <fabio.marte...@gmail.com>
Subject Re: Users & roles
Date Fri, 30 Mar 2012 13:25:02 GMT

Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto:

> Hi Fabio,
> 
>> I agree with you.
>> 
>> In this case I'd follow the steps below:
>> 1. authenticate the third party application with an administrator (or user with USER_READ
capability)
>> 2. verify password by calling the method verifyPassword provided by the userController
>> 
>> What do you think about?
> 
> Could we add a duplicate verifyPassword method to UserController that
> takes the username/password instead of userId/password? The latter
> requires the application to find the user Id first and then check the
> password, whereas the former only requires one step to accomplish
> third-party authentication.

Sure! I think we must.
Regards,
F.

> 
> Colm.
> 
> On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
> <fabio.martelli@gmail.com> wrote:
>> 
>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>> 
>>> Hi Fabio,
>>> 
>>>> Further, you have the method verifyPassword provided by UserController that
>>>> could be used to verify userid/password.
>>>> This method, for security reason can be called only by a user with USER_READ
>>>> capability.
>>> 
>>> Consider the use-case as mentioned by Bob, where you have a third
>>> party application which receives login credentials and wishes to
>>> authenticate the user, and retrieve the roles associated with that
>>> user for authorization. If the application logs on with the received
>>> username/password, then it is assuming that the given user has a
>>> USER_READ entitlement. IMO the application would log on with its own
>>> credentials, and wish to authenticate the given username/password via
>>> some kind of "authenticateUser" method as I mentioned before.
>>> 
>>> Do you see a use-case for this kind of functionality or am I missing something?
>> 
>> I agree with you.
>> 
>> In this case I'd follow the steps below:
>> 1. authenticate the third party application with an administrator (or user with USER_READ
capability)
>> 2. verify password by calling the method verifyPassword provided by the userController
>> 
>> What do you think about?
>> 
>>>> Actually users have only the roles explicitly assigned.
>>> 
>>> The question is whether it is possible to easily retrieve the
>>> hierarchy of roles for a particular user (or the authenticated user)?
>>> 
>>> Thanks,
>>> 
>>> Colm.
>> 
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com


Mime
View raw message