Aaron Coburn created VCL-608:
--------------------------------
Summary: XMLRPC interface inaccessible to Shibboleth-authenticated
users
Key: VCL-608
URL: https://issues.apache.org/jira/browse/VCL-608
Project: VCL
Issue Type: Improvement
Components: web gui (frontend)
Affects Versions: 2.3
Reporter: Aaron Coburn
Assignee: Aaron Coburn
Priority: Minor
It would be, in certain cases, useful for Shibboleth-authenticated users to
have access to the XMLRPC interface.
If an external web application (e.g. Moodle) were to use the remote API and if
the corresponding user is authenticated in the VCL via Shibboleth, then there
are two reasons why this currently fails. First, a Shibbolized VCL knows
nothing about a user's password and would not be able to authenticate a user
based on that. Second, there is no means for handling a user from an
affiliation with 'type' => 'redirect' (specified in $authMechs) in the
utils.php:checkAccess() function.
If the password field is, instead, an authentication token known only
(internally) by the remote application, and if authentication requests must
pass through an IP-based filter, then it is possible to retain a sufficiently
high level of security in the application, while allowing remote applications
to make reservation requests on behalf of Shibboleth users. The verification
function could be defined in conf.php and therefore controlled by the local VCL
administrator.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
