alfresco user creation rights to a non admin user - alfresco

I work with alfresco 5.0.d
I want some users (who have a particular role) can create other user.
I don't want to add these users to the Administrators group.
I realize that the user can enter to create page (http://localhost:9090/share/page/console/admin-console/users) only if he is admin.
So how can I authorize a user with a particular role to enter the user management page? and create , delete or modify user ?
thank you

There are multiple ways of doing this,One way is too manipulation of permissions.But that will become more difficult.Instead of that do below things.
1.Create a webscript and pass required parameter for creating user.From that webscript create a user.
2.Create one dashlet or page in alfresco share and call the webscript, pass userName as parameter(along with the data of new user) and validate that user inside webscript(for identifying that user have access to create user or not).
Above approach is less secure.But if you don't have issue of confidentiality than you can go with that.If confidentiality is an issue.Than you need to find something which validates your user.Like creating another webscript which validates user.

Related

How to get the role for current user with Spring Security

I'm trying to fetch all the roles for the current user who has been authenticated and show them in a JSP page.
I notice that there are some built-in expressions listed here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html but I don't see any that would list all the roles.
You can use SecurityContextHolder.getContext().getAuthentication().getAuthorities() to obtain a collection of the currently logged in user's roles.

How To Programmatically Add OpenID Users To Plone Site

I need to give roles (including the Member role), memberdata, and user folders to certain OpenID users before they first log in to my Plone site. That is, I need to programmatically add OpenID users to my Plone site. portal_registration.addMember cannot add an OpenID user. plone.openid has its own PAS plugin which does not create member objects. What do I do that is replicable in a setuphandler? The usual way to do this is to manually log in the OpenID user, then add roles, memberdata, and sharing after the login. Howwever, that user story is not programmatically replicable.
The only thing that should matter is the user id generated for each user. It should be possible to just create regular members beforehand with user ids matching the open id identity urls, assing them roles and then use openid (only) as an alternative authentication method for those users.
Update: As Chris commented below, it's not possible to add users with URL as their id through Plone UI, but they must be created directly into PAS users folder through ZMI (Zope Management Interface).

ASP.NET MVC 2 using Authentication

Here is my problem if i can call it that way.I have implemented authentification with custom memebership provider in asp.net mvc 2.0.Everything works well but i have one problem.When user log in he provides its username and password and i check this through databse in MSSQL then i validate user and pass and use FormsAuthentication to set only UserName as profile information.
But when that user wants to create new item(lets say for sale or something) that belongs only to him and can be listed with other items that user created i can use this username(in FormsAuthentication) check it in database and connect that item to appropriate user with foreign key but that works if username is unique so i need additional informations like ID column from database table "user" to store and use it later so what is the most secure and "best practice" way to store additional information of user and use it later because username as i mentioned must be unique in database and it is not enough information about logged user.
Couldn't you store the User object (or whatever additional info you have) in the Session? or using a cookie at the client side (if you need to persist the login state even after the user closes his browser etc)? Let me know if you need specific examples.
EDIT: After reading your comments, if you are looking for a "secure cookie" solution have a look at this: http://www.codeproject.com/Articles/13665/HttpSecureCookie-A-Way-to-Encrypt-Cookies-with-ASP
I use it to store the user's id (only his id). When I retrieve this cookie I load the user given his id. Some in-memory caching allows me to avoid loading the user on each request.
But just wanted to clarify that the session object seems great for what you are trying to do + you dont have to worry about security (for the average app that is).

Can we use single sign on for diffrent Form Authentication Sites?

I have 2 different websites
-> webgrants.com
->calgrants.com can be accessed directly or from webgrants
there is link provided for calgrants.com in Webgrants.com
so how can i validate the credentials of user when they click on the link provided. how can i do this .urgent please
There might be better ways to do it, but off the top of my head you can do this:
Assuming they have access to the same(or a common) database you create a table of userId and ticket.
Whenever a user wants a redirection to other website, you create a random value(ticket) and assign that value to the user and store this pair into the database.
You add this ticket to address of the other website, as a parameter. Other website checks the table for that 'ticket' and authenticates the user.

How to set the Principal in an ASP.Net app

I am writing a web app for a client. Users will have a one-time key that they will use to initially identify themselves to the app. Once the app verifies that the key is valid it will take them to a page where they can create a normal account to use for all subsequent logins. The create-account page should only be accessible after entering the key and shouldn't be accessible otherwise. I.e, it shouldn't be accessible to users logged in with a normal account.
This is asp.net 3.0 using a custom membership provider.
My plan is to create a temporary account based on the key and authenticate the user with that account. This allows them access to the create-user page (which is protected with a location tag ) where they can create the formal account. I then authenticate them with their new account and delete the temporary account.
The flow is: the user goes to a page where they enter the key. If the key is valid I create the temporary account, call FormsAuthentication.SetAuthCookie, and redirect to the create-account page. This all works, although it seems a little complicated.
The problem is that the create-user page is available to any authenticated user; I only want it available during the time between entering the key and creating the formal account. So I thought I'd create a special role for the temporary account and make the create-user page accessible only to that role and none other. I created my own Principal object with a special role and tried setting it when I authenticate the temporary account but I can't get that to work.
I'm really hoping I don't have to write a custom role provider just to do this.
How can I make this work? There's gotta be a simpler way!
Why not simply create the real account when they enter the key. Assign it some random name and then let them change the name and other details. Then you don't need the create user page, just the enter key page and an account details editing page. If you're concerned about getting the account details filled in, you could set it up (perhaps via code on a MasterPage) so that incomplete accounts always get redirected to the edit details page until the details are entered.
Or, you could have them enter the required details in addition to the key code on the enter key page and simply use those details when creating the account.
My advice would be to avoid the use of temporary accounts when validating the user. Instead, generate your own logic for validating the sign-up key. Then, at the head of the page, you can check whether the user is an authenticated user (SetAuthCookie has been called) and jump to a different page if this is true.
You may even be able to change the page access to forbid this page to authenticated users (I know you can disable accounts for unauthenticated users but I'm not sure if you can go the other direction).
The key, though, is to avoid relying on the membership provider when, in fact, the user is not yet a member!
Assign an "incomplete" role when authenticating against the temporary token, then restrict access to only that role... when the account is created, send them to a re-login page (terminating the authentication token). This will simplify your security model.

Resources