Verify Password of Not Logged In User

0
I have a use case where I want to record manager approval of an action as follows: technician is logged into app and selects some codes to use on a packing slip manager clicks a button to record his or her approval of packing slip upon clicking this button, manager is prompted for his or her app username and password Mendix confirms username and password and assuming password matches, records the approving manager’s name and date and time stamp on the packing slip I am not sure how to confirm the password of a user account different than the logged in user.  Any pointers or ideas welcome!
asked
2 answers
2

Mike,

With a line of java code this should be solved easily:

Core.authenticate(Core.createSystemContext(), user, this.password);

pass the username and entered password to the java action and return the result of the line above.

answered
0

If the scenario is that the manager approves of something at the technician's computer, while the technician is logged in, be aware that the default implementation of this is HORRIBLY insecure: a technician can open the dev tools in his browser, and see the account name and password of the manager! From then on, he can then simply log in as manager. Furthermore, with password reuse being a thing, the manager probably has the same password for this application as many other accounts/applications in the organization!

A far better solution would be to use account name and one time tokens, e.g. from the Google Authenticator app.

answered