← Back to team overview

schooltool-developers team mailing list archive

  1. schooltool-developers team
  2. Mailing list archive
  3. Message #00414

Re: Use of SchoolTool to authenticate users in pyquiz

  Thread PreviousDate PreviousThread Next 
On Thu, May 26, 2011 at 09:00:13AM -0700, Douglas Cerna wrote:
> Justas:
> 
> Jeffrey is developing an application called pyquiz to create tests for his students using pyramid. Now, he has this requirement (sorry for flooding):
> 
> Jeff Elkner: 1. user points browser at pyquiz
> Jeff Elkner: 2. clicks "login"
> Jeff Elkner: 3. types user name and password
> Jeff Elkner: 4. pyquiz asks ST, is this a valid user?
> Jeff Elkner: 5. ST says yes or no
> Jeff Elkner: if yes, user is logged in
> Jeff Elkner: if no, login fails
> Jeff Elkner: i don't want to create users in two places
> Jeff Elkner: and have to make sure they are in sync somehow
> Jeff Elkner: when a new student is added to ST
> Jeff Elkner: and put in a section
> Jeff Elkner: they can log in to pyquiz
> Jeff Elkner: with no configuration on the pyquiz side
> 
> I think an easy solution is to create a small XMLRPC method publisher that gets the person and calls checkPassword on it, returning True or False. Then we could create an url for this method like http://server_name/xmlrpc for pyquiz to send its login requests. If pyquiz gets True on the response, then it creates (or looks up) a space in its database for the username.

Excuse me for jumping in here...

Another solution is to redirect the user to SchoolTool for the login.
SchoolTool then redirects back after login with a hashed/encrypted
payload identifying the user.

No server-server communication, pyquiz is never trusted with the
password.

As for the payload, you can use a simple homebrew format or something
standard like SAML
http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

I've never used SAML, since homebrew is simple enough, and I've never
needed to be standard.

> I know a very well designed mechanism should include encryption/decryption for the requests, but these services are going to run on the same server and I'm assuming that's secure enough.
> 
> Please let me know what you think about this approach.
> 
> Thanks.
> Douglas
> 
> "... allí­ es cuando te das cuenta que las cosas malas pueden resultar bastante buenas..." - Lionel Messi
> 
> Por favor, evite enviarme adjuntos de Word, Excel o PowerPoint.
> Vea http://www.gnu.org/philosophy/no-word-attachments.es.html
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~schooltool-developers
> Post to     : schooltool-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~schooltool-developers
> More help   : https://help.launchpad.net/ListHelp

-- 
Brian Sutherland

Follow ups

References

  Thread PreviousDate PreviousThread Next