[jira] [Updated] (VCL-608) XMLRPC interface inaccessible to Shibboleth-authenticated users

Fri, 07 Sep 2012 07:08:11 -0700 

     [ 
https://issues.apache.org/jira/browse/VCL-608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron Coburn updated VCL-608:
-----------------------------

    Attachment: apiAccess.patch

This file can be used to patch version 2.3 of the VCL, allowing 
Shibboleth-delegated access to the remote API.

.ht-inc/utils.php can be patched with this command:

$ cd /path/to/web/directory
$ patch -p0 < apiAccess.patch

                
> XMLRPC interface inaccessible to Shibboleth-authenticated users
> ---------------------------------------------------------------
>
>                 Key: VCL-608
>                 URL: https://issues.apache.org/jira/browse/VCL-608
>             Project: VCL
>          Issue Type: Improvement
>          Components: web gui (frontend)
>    Affects Versions: 2.3
>            Reporter: Aaron Coburn
>            Assignee: Aaron Coburn
>            Priority: Minor
>         Attachments: apiAccess.patch
>
>
> It would be, in certain cases, useful for Shibboleth-authenticated users to 
> have access to the XMLRPC interface. 
> If an external web application (e.g. Moodle) were to use the remote API and 
> if the corresponding user is authenticated in the VCL via Shibboleth, then 
> there are two reasons why this currently fails. First, a Shibbolized VCL 
> knows nothing about a user's password and would not be able to authenticate a 
> user based on that. Second, there is no means for handling a user from an 
> affiliation with 'type' => 'redirect' (specified in $authMechs) in the 
> utils.php:checkAccess() function.
> If the password field is, instead, an authentication token known only 
> (internally) by the remote application, and if authentication requests must 
> pass through an IP-based filter, then it is possible to retain a sufficiently 
> high level of security in the application, while allowing remote applications 
> to make reservation requests on behalf of Shibboleth users. The verification 
> function could be defined in conf.php and therefore controlled by the local 
> VCL administrator.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to