Ah yes, looks like issue SHINDIG-1454 =( I was trying it with REST call, sorry.
However as issue SHINDIG-1455 mentioned, turning off Anonymous ST will make osapi libs do not load properly. - Henry 2011/8/3 daviesd <[email protected]>: > Hmmm... good observation. However, I switched them around, still no > success... I wonder if this has to do with > > https://issues.apache.org/jira/browse/SHINDIG-1454 > and > https://issues.apache.org/jira/browse/SHINDIG-1455 > > doug > > On 8/3/11 4:34 PM, "Henry Saputra" <[email protected]> wrote: > >> Its happening in the code. See SocialApiGuiceModule class: >> >> public class SocialApiGuiceModule extends AbstractModule { >> >> /** {@inheritDoc} */ >> @Override >> protected void configure() { >> >> bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet")) >> .to(DataServiceServletFetcher.class); >> >> bind(Boolean.class) >> >> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATE >> D)) >> .toInstance(Boolean.TRUE); >> >> >> Since the SocialApiGuiceModule is listed later than PropertiesModule, >> it overrides the binding of the shindig.allowUnauthenticated property. >> >> - Henry >> >> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <[email protected]> wrote: >>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.) >>> from being made unless shindig.auth.updateSecurityToken has been called. ?If >>> I enable secure tokens and I set the token to something in clear text, it >>> denies the rpc requests as it should. ?Providing the encrypted token then >>> works. ?However if I don¹t call updateSecurityToken at all then it uses the >>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this. >>> >>> I tried setting >>> >>> shindig.allowUnauthenticated=false >>> >>> In shindig.properties thinking this would enforce this, it appears to be >>> used inside on AnonymousSecurityToken. >>> >>> Ideas? >>> >>> Doug >>> >>> >> > > >
