Uploaded image for project: 'VCL'
  1. VCL
  2. VCL-608

XMLRPC interface inaccessible to Shibboleth-authenticated users

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 2.3
    • 2.3.1, 2.4
    • web gui (frontend)
    • None

    Description

      It would be, in certain cases, useful for Shibboleth-authenticated users to have access to the XMLRPC interface.

      If an external web application (e.g. Moodle) were to use the remote API and if the corresponding user is authenticated in the VCL via Shibboleth, then there are two reasons why this currently fails. First, a Shibbolized VCL knows nothing about a user's password and would not be able to authenticate a user based on that. Second, there is no means for handling a user from an affiliation with 'type' => 'redirect' (specified in $authMechs) in the utils.php:checkAccess() function.

      If the password field is, instead, an authentication token known only (internally) by the remote application, and if authentication requests must pass through an IP-based filter, then it is possible to retain a sufficiently high level of security in the application, while allowing remote applications to make reservation requests on behalf of Shibboleth users. The verification function could be defined in conf.php and therefore controlled by the local VCL administrator.

      Attachments

        1. apiAccess.patch
          1 kB
          Aaron Coburn

        Activity

          People

            acoburn Aaron Coburn
            acoburn Aaron Coburn
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: