Brian Demers created SHIRO-526:
----------------------------------
Summary: Handle Anonymous / Guest user permissions.
Key: SHIRO-526
URL: https://issues.apache.org/jira/browse/SHIRO-526
Project: Shiro
Issue Type: Improvement
Components: Authentication (log-in), Authorization (access control)
Reporter: Brian Demers
Priority: Minor
From:
Currently Shiro does NOT allow for an anonymous user (i.e. principal == null)
to have permissions. This makes things more challenging for applications that
are base around permissions (i.e. WildCardPermission strings)
From:
http://shiro-user.582556.n2.nabble.com/Can-anonymous-user-have-permissions-td7580431.html
{quote}
I feel like Shiro should support this kind of use case. And it would just add
new flag to subject, along to existing:
- isAuthenticated (have principal and authenticated = true)
- isRemembered (have principal and authenticated = false)
- isAnonymous (have anonPrincipal and authenticated = false)
- isGuest (have nothing)
{quote}
In the above case i think we should collapse the idea of anonymous and guess
into one 'guest' to match other naming in the code base.
This also implies that Permission checking would be allowed if the subject does
NOT have a principal:
https://github.com/apache/shiro/blob/trunk/core/src/main/java/org/apache/shiro/subject/support/DelegatingSubject.java#L162
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
