On 30/03/2012 15:25, Fabio Martelli wrote: > Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto: >> Hi Fabio, >> >>> I agree with you. >>> >>> In this case I'd follow the steps below: >>> 1. authenticate the third party application with an administrator (or user >>> with USER_READ capability) >>> 2. verify password by calling the method verifyPassword provided by the >>> userController >>> >>> What do you think about? >> Could we add a duplicate verifyPassword method to UserController that >> takes the username/password instead of userId/password? The latter >> requires the application to find the user Id first and then check the >> password, whereas the former only requires one step to accomplish >> third-party authentication. > Sure! I think we must.
Actually, I think that this verifyPassword() taking userId as argument is an ancient residual of the times where there was no username: in my opinion the current method can be removed and a new one taking username and password as parameters must be added. Regards. > On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli > <[email protected]> wrote: >>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto: >>> >>>> Hi Fabio, >>>> >>>>> Further, you have the method verifyPassword provided by UserController >>>>> that >>>>> could be used to verify userid/password. >>>>> This method, for security reason can be called only by a user with >>>>> USER_READ >>>>> capability. >>>> Consider the use-case as mentioned by Bob, where you have a third >>>> party application which receives login credentials and wishes to >>>> authenticate the user, and retrieve the roles associated with that >>>> user for authorization. If the application logs on with the received >>>> username/password, then it is assuming that the given user has a >>>> USER_READ entitlement. IMO the application would log on with its own >>>> credentials, and wish to authenticate the given username/password via >>>> some kind of "authenticateUser" method as I mentioned before. >>>> >>>> Do you see a use-case for this kind of functionality or am I missing >>>> something? >>> I agree with you. >>> >>> In this case I'd follow the steps below: >>> 1. authenticate the third party application with an administrator (or user >>> with USER_READ capability) >>> 2. verify password by calling the method verifyPassword provided by the >>> userController >>> >>> What do you think about? >>> >>>>> Actually users have only the roles explicitly assigned. >>>> The question is whether it is possible to easily retrieve the >>>> hierarchy of roles for a particular user (or the authenticated user)? >>>> >>>> Thanks, >>>> >>>> Colm. -- Francesco Chicchiriccò Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/
