You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@vcl.apache.org by "Aaron Coburn (JIRA)" <ji...@apache.org> on 2012/09/07 16:14:07 UTC

[jira] [Resolved] (VCL-608) XMLRPC interface inaccessible to Shibboleth-authenticated users

     [ https://issues.apache.org/jira/browse/VCL-608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aaron Coburn resolved VCL-608.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.1
                   2.4

a new global array (indexed by affiliationid) is defined: $apiValidateFunc

If an administrator defines a validation function in conf.php, it becomes possible for remote, Shibboleth-based applications to delegate authentication over the remote API.
                
> XMLRPC interface inaccessible to Shibboleth-authenticated users
> ---------------------------------------------------------------
>
>                 Key: VCL-608
>                 URL: https://issues.apache.org/jira/browse/VCL-608
>             Project: VCL
>          Issue Type: Improvement
>          Components: web gui (frontend)
>    Affects Versions: 2.3
>            Reporter: Aaron Coburn
>            Assignee: Aaron Coburn
>            Priority: Minor
>             Fix For: 2.4, 2.3.1
>
>         Attachments: apiAccess.patch
>
>
> It would be, in certain cases, useful for Shibboleth-authenticated users to have access to the XMLRPC interface. 
> If an external web application (e.g. Moodle) were to use the remote API and if the corresponding user is authenticated in the VCL via Shibboleth, then there are two reasons why this currently fails. First, a Shibbolized VCL knows nothing about a user's password and would not be able to authenticate a user based on that. Second, there is no means for handling a user from an affiliation with 'type' => 'redirect' (specified in $authMechs) in the utils.php:checkAccess() function.
> If the password field is, instead, an authentication token known only (internally) by the remote application, and if authentication requests must pass through an IP-based filter, then it is possible to retain a sufficiently high level of security in the application, while allowing remote applications to make reservation requests on behalf of Shibboleth users. The verification function could be defined in conf.php and therefore controlled by the local VCL administrator.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira