• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: Re: Security Framework: Authori(s/z)ion Rights
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re: Security Framework: Authori(s/z)ion Rights

  • Subject: RE: Re: Security Framework: Authori(s/z)ion Rights
  • From: "Huyler, Christopher M" <email@hidden>
  • Date: Fri, 7 Nov 2003 10:49:36 -0500
  • Thread-topic: Re: Security Framework: Authori(s/z)ion Rights
Can anyone answer these questions?????

I have another to add to the list below:

3) If all I have is a user name, is there a way to check to see that the
user is an administrator?

-----Original Message-----
From: Huyler, Christopher M
Sent: Wednesday, November 05, 2003 9:31 AM
To: 'email@hidden'
Subject: Re: Security Framework: Authori(s/z)ion Rights

With all the commotion about locali(s/z)ation I never got my questions
answered:

1) Is it possible to make a rule for a right that will authenticate any
user on the local machine and/or domain. The rule "allow" does not
require a valid username/password and every other default rule requires
some sort of admin account.

2) Also, there is something annoying about removing rights. No matter
how you authenticate beforehand, you are asked again for your password
when you call AuthorizationRightRemove(). I have tried creating an
AuthorizationRef that uses the name "config.remove.com.my.right" but it
will always deny even if I enter the correct password (presumably
because the timeout is set to 0). I suppose this is to ensure that the
user is asked for their password when removing rights but I have no way
of suppressing the request when it happens. Since I am dealing with a
remote application that communicates with a local daemon, I can't have
authentication dialogs popping up on the local machine.

Here's how I authenticate w/o interaction (well, the interaction is in
the Java gui which may or may not be on the local machine):

OSStatus authenticateAsUser(
const char *rightName,
char *username,
char *password)
{
static const AuthorizationFlags kAuthFlags =
kAuthorizationFlagExtendRights;
AuthorizationItem kAuthEnv[] = {
{ kAuthorizationEnvironmentUsername, strlen(username), username,
0 },
{ kAuthorizationEnvironmentPassword, strlen(password), password,
0 } };
AuthorizationEnvironment kEnvironment = { 2, kAuthEnv };

if (isAuthenticated(rightName) != noErr)
doAuthorization(rightName,&kEnvironment,kAuthFlags);
return (isAuthenticated(rightName));
}

OSStatus doAuthorization(
const char *rightName,
AuthorizationEnvironment *environment,
AuthorizationFlags flags)
{
OSStatus err;
AuthorizationFlags kAuthFlags = kAuthorizationFlagDefaults | flags;
AuthorizationItem kAuthRight = { rightName, 0, 0, 0 };
AuthorizationRights kRights = { 1, &kAuthRight };

if (!gAuthRef)
{
initialize_AuthRef();
}
err = AuthorizationCopyRights(
gAuthRef, // authorization reference
&kRights, // rights
environment, // environment
kAuthFlags, // flags
NULL // authorizedRights
);

return err;
}

--
Christopher Huyler
Computer Associates Intl.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: Security Framework: Authori(s/z)ion Rights
      • From: Nick Zitzmann <email@hidden>
  • Prev by Date: Re: Key down issue
  • Next by Date: Re: Key down issue
  • Previous by thread: Re: Security Framework: Authori(s/z)ion Rights
  • Next by thread: Re: Security Framework: Authori(s/z)ion Rights
  • Index(es):
    • Date
    • Thread