• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Authenticating without UI
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authenticating without UI

  • Subject: Re: Authenticating without UI
  • From: OL&L Lists <email@hidden>
  • Date: Fri, 25 Jun 2004 16:53:27 -0700
That is an issue I have not come up against. I would assume that the actual authentication dialog would be presented to the user on whatever Mac the helper tool is *running* on. This would be in keeping with the BSD security model as well as AuthorizationServices.

Each Mac has its own Security Server running as a process on that Mac. When the helper tool makes its request to the Security Server (via Auhtorization Services), it does so on the local machine - hence one would assume the dialog would appear on the local machine and not the remote machine.

I think someone from Apple needs to answer this as the Authorization Services and Security Server docs don't in any way address performing privileged operations on remote machines. There may be some Remote Login APIs that I am not aware of, but currently I am not sure there is a way to execute a helper tool on one machine and have the dialog appear on a different machine.

Sorry I can't be of more help.

Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com

At 1:18 PM +0200 6/22/04, Tito Ciuro wrote:
Hello Michael,

I understand, but this dialog business is a bit confusing. My app needs to find out whether a specific user has access to the computer. This involves a local computer as well as as a remote one. In other words, a user in Mac A may need to launch a process remotely on Mac B. The question is: when authenticating on Mac B from Mac A, will the UI be presented in the Mac A? If not, what will be the safest way to do that via code?

Thanks again,

-- Tito

On Jun 22, 2004, at 11:56, OL&L Lists wrote:

In answer to your question - the answer is yes - but only if you have
a previously valid AuthorizationRef. Once that is done, you can pass
the flags to AuthorizationCopyRights to supress the e dialog and it
will allow the security server to authorize without showing the
dialog - assuming the previous credentials have been cached. The bad
news is you can *never* avoid the 1st dialog unless you use some
other way for the user to enter authentication data that the Security
Server accepts (smart card, retinal scan, etc.) or unless you used a
shared right that has already had user credentials cached by the
Security Server.

Also note this error from Authorization.h:

errAuthorizationInteractionNotAllowed = -60007, /* The
authorization was denied since no user interaction was possible. */

In other words, if the Security Server needs to authenticate the
user, and no valid credential exists for that user in the Security
Servers' credentials caches, the dialog is going to show up no matter
what you do.

Also note this comment from the same file for AuthorizationCreate &
AuthorizationCopyRights:

When the kAuthorizationFlagInteractionAllowed flag is set, user
interaction will happen when required. Failing to set this flag will
result in this call failing with a
errAuthorizationInteractionNotAllowed status when interaction is
required.

You can't get around the first dialog no matter what you do unless
you use one of the aforementioned methods. If you cache your
AuthorizationRef and credentials properly all further dialogs can be
avoided.

Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com

At 3:50 PM +0200 6/17/04, Tito Ciuro wrote:
Hello,

Is it possible to collect the user name/password from a custom-made
window, can I feed the info to Authorization Services without
displaying the standard Apple dialog?

Thanks,

-- Tito
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

References: 
 >Authenticating without UI (From: Tito Ciuro <email@hidden>)
 >Re: Authenticating without UI (From: OL&L Lists <email@hidden>)
 >Re: Authenticating without UI (From: Tito Ciuro <email@hidden>)

  • Prev by Date: Re: Running a single thread as root...sort of.
  • Next by Date: Re: Authenticating without UI
  • Previous by thread: Re: Authenticating without UI
  • Next by thread: aiff tracks list and drive volume identifier
  • Index(es):
    • Date
    • Thread