Authentication and Automation APIs
I am a bit confused about how authentication works with the Java automation APIs. I would like to use a shared secret between the client and the server, and to use impersonation when a client request comes in to switch the the requesting user's security context. I also need to authenticate the user. Roughly I am trying something along those lines:
// client init session = client.getSession("Administrator", "Administrator"); // will replace with shared secret // request comes in from user Bob session.verifyCredentials("bob", bob's password) // how do I do this?? session.newRequest("Auth.LoginAs").set("name", "bob"); session.do_some_stuff() session.newRequest("Auth.Logout");
I have two issues:
- How can I validate Bob's credentials (without starting a new session, which is too slow)?
- after Auth.LoginAs, I can still successfully use the session to readDocument for which Bob has been denied the READ permission - is LoginAs really impersonating the user?