Its happening in the code. See SocialApiGuiceModule class:
public class SocialApiGuiceModule extends AbstractModule {
/** {@inheritDoc} */
@Override
protected void configure() {
bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet"))
.to(DataServiceServletFetcher.class);
bind(Boolean.class)
.annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATED))
.toInstance(Boolean.TRUE);
Since the SocialApiGuiceModule is listed later than PropertiesModule,
it overrides the binding of the shindig.allowUnauthenticated property.
- Henry
On Wed, Aug 3, 2011 at 12:51 PM, daviesd <[email protected]> wrote:
> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
> from being made unless shindig.auth.updateSecurityToken has been called. If
> I enable secure tokens and I set the token to something in clear text, it
> denies the rpc requests as it should. Providing the encrypted token then
> works. However if I don¹t call updateSecurityToken at all then it uses the
> AnonymousSecurityToken and the call succeeds. I don¹t want this.
>
> I tried setting
>
> shindig.allowUnauthenticated=false
>
> In shindig.properties thinking this would enforce this, it appears to be
> used inside on AnonymousSecurityToken.
>
> Ideas?
>
> Doug
>
>
