[jira] [Resolved] (VCL-608) XMLRPC interface inaccessible to Shibboleth-authenticated users

Fri, 07 Sep 2012 07:14:08 -0700 

     [ 
https://issues.apache.org/jira/browse/VCL-608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron Coburn resolved VCL-608.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.1
                   2.4

a new global array (indexed by affiliationid) is defined: $apiValidateFunc

If an administrator defines a validation function in conf.php, it becomes 
possible for remote, Shibboleth-based applications to delegate authentication 
over the remote API.
                
> XMLRPC interface inaccessible to Shibboleth-authenticated users
> ---------------------------------------------------------------
>
>                 Key: VCL-608
>                 URL: https://issues.apache.org/jira/browse/VCL-608
>             Project: VCL
>          Issue Type: Improvement
>          Components: web gui (frontend)
>    Affects Versions: 2.3
>            Reporter: Aaron Coburn
>            Assignee: Aaron Coburn
>            Priority: Minor
>             Fix For: 2.4, 2.3.1
>
>         Attachments: apiAccess.patch
>
>
> It would be, in certain cases, useful for Shibboleth-authenticated users to 
> have access to the XMLRPC interface. 
> If an external web application (e.g. Moodle) were to use the remote API and 
> if the corresponding user is authenticated in the VCL via Shibboleth, then 
> there are two reasons why this currently fails. First, a Shibbolized VCL 
> knows nothing about a user's password and would not be able to authenticate a 
> user based on that. Second, there is no means for handling a user from an 
> affiliation with 'type' => 'redirect' (specified in $authMechs) in the 
> utils.php:checkAccess() function.
> If the password field is, instead, an authentication token known only 
> (internally) by the remote application, and if authentication requests must 
> pass through an IP-based filter, then it is possible to retain a sufficiently 
> high level of security in the application, while allowing remote applications 
> to make reservation requests on behalf of Shibboleth users. The verification 
> function could be defined in conf.php and therefore controlled by the local 
> VCL administrator.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to