On Wed, Feb 9, 2011 at 3:34 PM, Dimuthu Leelarathne <[email protected]>wrote:
> Hi,
>
> We authenticate users at different levels.
>
> AuthenticationAdmin (Admin service layer)
> -This is Admin Console oriented
> -We check whether username password match and check whether he has login
> permission to Admin console
> -An admin session is created at the server
> -And we store details in this session
>
> Authenticate users to services/webapps hosted within the server
> -We check whether username password match
> -We check whether the user has permission to access the service
>
> At the bottom of all this UserStoreManager authethenticates by checking
> username/password match. Here no permission checks as it has no meaning
>
> What you need is another implementation. It needs to check
> username/password match and it should be available remotely and no
> permission checks required. We have remote-usermanager which does this. Or a
> new implementation.
>
> So I think authentication admin is a serves a special purpose (i.e. login
> to Admin console) that requires login permission while your requirement is
> different.
>
This is the way it checks for the Autherizaton
boolean isAuthorized =
realm.getAuthorizationManager().isUserAuthorized(username,
"/permission/admin/login",
CarbonConstants.UI_PERMISSION_ACTION); // ui.execute
It has used the permission name as the resource name. Normally a permission
should always associated with a resource.
So I think better to remove this check and consider user has loged in.
thanks,
Amila.
>
> tx,
> DimuthuL
>
> On Wed, Feb 9, 2011 at 9:08 AM, Prabath Siriwardana <[email protected]>wrote:
>
>> I guess checking login permission while authenticating is not quite
>> correct.. This was fine until users authenticating to login to the
>> Carbon Management Console.
>>
>> But that is not the case always..
>>
>> For example there can be a case - we need to deploy Identity Server
>> over an LDAP and a different web app calling IS authentication admin
>> service to authenticate users..
>>
>> And these user should not have login permission to login to IS
>> Management Console..
>>
>> WDYT?
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> http://blog.facilelogin.com
>> http://RampartFAQ.com
>> _______________________________________________
>> Carbon-dev mailing list
>> [email protected]
>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>
>
>
> _______________________________________________
> Carbon-dev mailing list
> [email protected]
> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
_______________________________________________
Carbon-dev mailing list
[email protected]
http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
