6 Replies Latest reply on May 17, 2012 9:00 AM by 937672

    Fetch user and password

      Hi everyone,

      I'm building an application that interacts with a CMS plataform, which in turn, fetches it's users from an active directory server.

      What I need to do is, in order for my application to upload files to the platform, I need to authenticate with it with the same users that reside in the active directory server.

      I need to provide both a username and password in my code (I'm using one of their APIs), but isn't it a malpractice to fetch the password?

        • 1. Re: Fetch user and password
          Exactl. No self-respecting identity management is going to give you the password in a usable form anyway. Normally they are hashed on storage, and compared with the hash of the entered password. What you should be looking into is getting the CMS to authenticate via AD instead of its own internals. Again any self-respecting CMS should be able to do that.
          • 2. Re: Fetch user and password
            Yes, I already managed to integrate the CMS with the active directory server and use SSO.

            But in order to use the API of the CMS, to add/edit/remove content with my application, I need to introduce credentials in my code in order to allow my application to add/edit/remove content on the platform.

            And the combination of the user/password must belong to an entity present in the active directory.

            for example, a fragment of my code:
             public static void main(String[] args) throws Exception
                      // Start the session
                      AuthenticationUtils.startSession(user, password);
                           //edit content on the platform 
            I don't want to ask the user for it's name and password.

            Isn't there a way to solve this?

            Edited by: user12047906 on 16/Mai/2012 7:37
            • 3. Re: Fetch user and password
              user12047906 wrote:
              Isn't there a way to solve this?
              Of course. Create an entity ('user') specifically for your application and make sure your application can find its own credentials somewhere, for example by reading them from a file. That way you don't have to compromise the credentials of a 'real' user and it is far easier to change the information whenever it is required.
              • 4. Re: Fetch user and password
                The problem is, I need to know the user's identity.

                And there's algo a problem regarding authorization.

                I don't want the user to upload files to folders he doesn't have permission.

                That's why creating a "global" user, common to all applets, won't do. :\

                That's my dilemma.
                • 5. Re: Fetch user and password
                  The problem is that you cannot do what you have described, and if you could it is insecure, so you shouldn't want to do it anyway. You must rethink.
                  • 6. Re: Fetch user and password
                    Yes, there's a simple solution.

                    I can ask the user for it's password.

                    I just wanted to avoid that.

                    Seems to be the best solution :)

                    Thank you all for the replies.