Il giorno 30/mar/2012, alle ore 15.09, Colm O hEigeartaigh ha scritto: > Hi Fabio, > >> Further, you have the method verifyPassword provided by UserController that >> could be used to verify userid/password. >> This method, for security reason can be called only by a user with USER_READ >> capability. > > Consider the use-case as mentioned by Bob, where you have a third > party application which receives login credentials and wishes to > authenticate the user, and retrieve the roles associated with that > user for authorization. If the application logs on with the received > username/password, then it is assuming that the given user has a > USER_READ entitlement. IMO the application would log on with its own > credentials, and wish to authenticate the given username/password via > some kind of "authenticateUser" method as I mentioned before. > > Do you see a use-case for this kind of functionality or am I missing > something?
I agree with you. In this case I'd follow the steps below: 1. authenticate the third party application with an administrator (or user with USER_READ capability) 2. verify password by calling the method verifyPassword provided by the userController What do you think about? >> Actually users have only the roles explicitly assigned. > > The question is whether it is possible to easily retrieve the > hierarchy of roles for a particular user (or the authenticated user)? > > Thanks, > > Colm.
