Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
It would be nice to have an option in the Admin Console to restrict which applications can use the createPrincipalToken method in the SOAP API, instead of having it available to applications.
As it stands now, any application can authenticate a principal without actually validating a password – whether they need this functionality or not. This has raised some security concerns about how easily a "fake" user session could be created if someone had access to an application's password (and could submit a request from its authorized IPs).
We'd like to be able to grant this permission on a per-application basis, similar to how directory modification permissions can be restricted by application.
Attachments
Issue Links
- mentioned in
-
Wiki Page Loading...