Return-Path: X-Original-To: apmail-incubator-syncope-user-archive@minotaur.apache.org Delivered-To: apmail-incubator-syncope-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 132A69862 for ; Fri, 30 Mar 2012 12:29:49 +0000 (UTC) Received: (qmail 21401 invoked by uid 500); 30 Mar 2012 12:29:49 -0000 Delivered-To: apmail-incubator-syncope-user-archive@incubator.apache.org Received: (qmail 21372 invoked by uid 500); 30 Mar 2012 12:29:49 -0000 Mailing-List: contact syncope-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: syncope-user@incubator.apache.org Delivered-To: mailing list syncope-user@incubator.apache.org Received: (qmail 21364 invoked by uid 99); 30 Mar 2012 12:29:48 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Mar 2012 12:29:48 +0000 Received: from localhost (HELO mail-ob0-f175.google.com) (127.0.0.1) (smtp-auth username coheigea, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Mar 2012 12:29:48 +0000 Received: by obbwc20 with SMTP id wc20so934447obb.6 for ; Fri, 30 Mar 2012 05:29:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.155.97 with SMTP id vv1mr2676016obb.5.1333110587860; Fri, 30 Mar 2012 05:29:47 -0700 (PDT) Reply-To: coheigea@apache.org Received: by 10.182.14.234 with HTTP; Fri, 30 Mar 2012 05:29:47 -0700 (PDT) In-Reply-To: References: Date: Fri, 30 Mar 2012 13:29:47 +0100 Message-ID: Subject: Re: Users & roles From: Colm O hEigeartaigh To: syncope-user@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Hi Bob, I've been running into similar issues. > - /auth/getentitlements doesn't give me the roles of the connected user It gives you the list of entitlements associated with the roles of the connected user. Perhaps this controller should also have a similar method for returning a list of role names of the connected user as well? A question I have is whether the list of entitlements is only for the child roles or all of the entitlements associated with the role hierarchy? > - /user/read?username=user : gives me the user but only if I > authenticated with a user that has the possiblity to read other users > as well. This means I should have some kind of administration > connection to core instead of a user specific connection? Yes I think so. Your Tomcat user account should have the ability to read users/roles etc., and you authenticate as this user. I think there should possibly be an "authenticateUser" method or something similar that takes in a username/password and returns true or false depending on if there is a matching user in Syncope. > - if there are hierarchical roles, I only get the child role. I > suppose I have to walk the tree myself to retrieve the other roles? > i.e. based on response to role/list request? IMO there should be an easy way to get all roles of the user rather than having to walk the tree. Colm. On Fri, Mar 30, 2012 at 12:42 PM, Bob Lannoy wrote: > Hi, > > suppose I have users & hierarchical roles in Syncope and an external > system (tomcat webapp) that needs to authenticate those users and get > the roles. > Can you give me an indication on how I would go about this? > > I did some preliminary tests: > - I can do an authentication to core using basic auth, but I saw that > the user object also contains the hashed password of the user > - /auth/getentitlements doesn't give me the roles of the connected user > - /user/read?username=user : gives me the user but only if I > authenticated with a user that has the possiblity to read other users > as well. This means I should have some kind of administration > connection to core instead of a user specific connection? > - if there are hierarchical roles, I only get the child role. I > suppose I have to walk the tree myself to retrieve the other roles? > i.e. based on response to role/list request? > regards > > Bob -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com