On 06/02/2015 12:51, Guido Wimmel wrote:
Hi,
if my observations are correct, it seems that Spring security anonymous
authentication
still seems to be enabled for the Syncope REST API.
See securityContext.xml:
<security:http security-context-repository-ref="securityContextRepository"
realm="Apache Syncope authentication">
<security:http-basic/>
<security:anonymous username="${anonymousUser}"/>
<security:intercept-url pattern="/**"/>
</security:http>
As far as I understand, since SYNCOPE-132 [1] this mechanism is not used
anymore by Syncope,
but instead a special 'anonymous' user was introduced.
Shouldn't it better be
<security:anonymous enabled="false"/> ?
Hi Guido,
the special anonymous user - which can now be configured, either for
username and for secret, is needed for several operations, as different
queries required by self-registration for example.
Please consider the difference between "no authentication is required",
e.g. unauthenticated and "anonymous authentication is required", e.g.
anonymous.
When logged as anonymous, the SyncopeUserDetailsService will only grant
the ANONYMOUS_ENTITLEMENT.
If one does not need anonymous operations, setting
<security:anonymous enabled="false"/>
as you suggest above is anyway an option.
Regards.
[1] https://issues.apache.org/jira/browse/SYNCOPE-132
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
