On Thu, May 26, 2011 at 09:00:13AM -0700, Douglas Cerna wrote: > Justas: > > Jeffrey is developing an application called pyquiz to create tests for his > students using pyramid. Now, he has this requirement (sorry for flooding): > > Jeff Elkner: 1. user points browser at pyquiz > Jeff Elkner: 2. clicks "login" > Jeff Elkner: 3. types user name and password > Jeff Elkner: 4. pyquiz asks ST, is this a valid user? > Jeff Elkner: 5. ST says yes or no > Jeff Elkner: if yes, user is logged in > Jeff Elkner: if no, login fails > Jeff Elkner: i don't want to create users in two places > Jeff Elkner: and have to make sure they are in sync somehow > Jeff Elkner: when a new student is added to ST > Jeff Elkner: and put in a section > Jeff Elkner: they can log in to pyquiz > Jeff Elkner: with no configuration on the pyquiz side > > I think an easy solution is to create a small XMLRPC method publisher that > gets the person and calls checkPassword on it, returning True or False. Then > we could create an url for this method like http://server_name/xmlrpc for > pyquiz to send its login requests. If pyquiz gets True on the response, then > it creates (or looks up) a space in its database for the username.
Excuse me for jumping in here... Another solution is to redirect the user to SchoolTool for the login. SchoolTool then redirects back after login with a hashed/encrypted payload identifying the user. No server-server communication, pyquiz is never trusted with the password. As for the payload, you can use a simple homebrew format or something standard like SAML http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language I've never used SAML, since homebrew is simple enough, and I've never needed to be standard. > I know a very well designed mechanism should include encryption/decryption > for the requests, but these services are going to run on the same server and > I'm assuming that's secure enough. > > Please let me know what you think about this approach. > > Thanks. > Douglas > > "... allí es cuando te das cuenta que las cosas malas pueden resultar > bastante buenas..." - Lionel Messi > > Por favor, evite enviarme adjuntos de Word, Excel o PowerPoint. > Vea http://www.gnu.org/philosophy/no-word-attachments.es.html > > _______________________________________________ > Mailing list: https://launchpad.net/~schooltool-developers > Post to : [email protected] > Unsubscribe : https://launchpad.net/~schooltool-developers > More help : https://help.launchpad.net/ListHelp -- Brian Sutherland _______________________________________________ Mailing list: https://launchpad.net/~schooltool-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~schooltool-developers More help : https://help.launchpad.net/ListHelp
