Hi Francesco,
> Actually, I think that this verifyPassword() taking userId as argument
> is an ancient residual of the times where there was no username: in my
> opinion the current method can be removed and a new one taking username
> and password as parameters must be added.
A quick query on this change - this is similar to the "readByUsername"
issue, where you must add the ".json" suffix, e.g.
"user/verifyPassword/{username}.json?password=..." or else any
username with periods will get truncated. Is this ok do you reckon?
Colm.
2012/3/30 Francesco Chicchiriccò <[email protected]>:
> On 30/03/2012 15:25, Fabio Martelli wrote:
>> Il giorno 30/mar/2012, alle ore 15.22, Colm O hEigeartaigh ha scritto:
>>> Hi Fabio,
>>>
>>>> I agree with you.
>>>>
>>>> In this case I'd follow the steps below:
>>>> 1. authenticate the third party application with an administrator (or user
>>>> with USER_READ capability)
>>>> 2. verify password by calling the method verifyPassword provided by the
>>>> userController
>>>>
>>>> What do you think about?
>>> Could we add a duplicate verifyPassword method to UserController that
>>> takes the username/password instead of userId/password? The latter
>>> requires the application to find the user Id first and then check the
>>> password, whereas the former only requires one step to accomplish
>>> third-party authentication.
>> Sure! I think we must.
>
> Actually, I think that this verifyPassword() taking userId as argument
> is an ancient residual of the times where there was no username: in my
> opinion the current method can be removed and a new one taking username
> and password as parameters must be added.
>
> Regards.
>
>> On Fri, Mar 30, 2012 at 2:17 PM, Fabio Martelli
>> <[email protected]> wrote:
>>>> Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto:
>>>>
>>>>> Hi Fabio,
>>>>>
>>>>>> Further, you have the method verifyPassword provided by UserController
>>>>>> that
>>>>>> could be used to verify userid/password.
>>>>>> This method, for security reason can be called only by a user with
>>>>>> USER_READ
>>>>>> capability.
>>>>> Consider the use-case as mentioned by Bob, where you have a third
>>>>> party application which receives login credentials and wishes to
>>>>> authenticate the user, and retrieve the roles associated with that
>>>>> user for authorization. If the application logs on with the received
>>>>> username/password, then it is assuming that the given user has a
>>>>> USER_READ entitlement. IMO the application would log on with its own
>>>>> credentials, and wish to authenticate the given username/password via
>>>>> some kind of "authenticateUser" method as I mentioned before.
>>>>>
>>>>> Do you see a use-case for this kind of functionality or am I missing
>>>>> something?
>>>> I agree with you.
>>>>
>>>> In this case I'd follow the steps below:
>>>> 1. authenticate the third party application with an administrator (or user
>>>> with USER_READ capability)
>>>> 2. verify password by calling the method verifyPassword provided by the
>>>> userController
>>>>
>>>> What do you think about?
>>>>
>>>>>> Actually users have only the roles explicitly assigned.
>>>>> The question is whether it is possible to easily retrieve the
>>>>> hierarchy of roles for a particular user (or the authenticated user)?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Colm.
> --
> Francesco Chicchiriccò
>
> Apache Cocoon PMC and Apache Syncope PPMC Member
> http://people.apache.org/~ilgrosso/
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
