Re: Security Framework: Authori(s/z)ion Rights
Re: Security Framework: Authori(s/z)ion Rights
- Subject: Re: Security Framework: Authori(s/z)ion Rights
- From: "Huyler, Christopher M" <email@hidden>
- Date: Wed, 5 Nov 2003 09:30:53 -0500
- Thread-topic: Re: Security Framework: Authori(s/z)ion Rights
With all the commotion about locali(s/z)ation I never got my questions
answered:
1) Is it possible to make a rule for a right that will authenticate any
user on the local machine and/or domain. The rule "allow" does not
require a valid username/password and every other default rule requires
some sort of admin account.
2) Also, there is something annoying about removing rights. No matter
how you authenticate beforehand, you are asked again for your password
when you call AuthorizationRightRemove(). I have tried creating an
AuthorizationRef that uses the name "config.remove.com.my.right" but it
will always deny even if I enter the correct password (presumably
because the timeout is set to 0). I suppose this is to ensure that the
user is asked for their password when removing rights but I have no way
of suppressing the request when it happens. Since I am dealing with a
remote application that communicates with a local daemon, I can't have
authentication dialogs popping up on the local machine.
Here's how I authenticate w/o interaction (well, the interaction is in
the Java gui which may or may not be on the local machine):
OSStatus authenticateAsUser(
const char *rightName,
char *username,
char *password)
{
static const AuthorizationFlags kAuthFlags =
kAuthorizationFlagExtendRights;
AuthorizationItem kAuthEnv[] = {
{ kAuthorizationEnvironmentUsername, strlen(username), username,
0 },
{ kAuthorizationEnvironmentPassword, strlen(password), password,
0 } };
AuthorizationEnvironment kEnvironment = { 2, kAuthEnv };
if (isAuthenticated(rightName) != noErr)
doAuthorization(rightName,&kEnvironment,kAuthFlags);
return (isAuthenticated(rightName));
}
OSStatus doAuthorization(
const char *rightName,
AuthorizationEnvironment *environment,
AuthorizationFlags flags)
{
OSStatus err;
AuthorizationFlags kAuthFlags = kAuthorizationFlagDefaults | flags;
AuthorizationItem kAuthRight = { rightName, 0, 0, 0 };
AuthorizationRights kRights = { 1, &kAuthRight };
if (!gAuthRef)
{
initialize_AuthRef();
}
err = AuthorizationCopyRights(
gAuthRef, // authorization reference
&kRights, // rights
environment, // environment
kAuthFlags, // flags
NULL // authorizedRights
);
return err;
}
--
Christopher Huyler
Computer Associates Intl.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.