On 06/02/2015 14:56, Guido Wimmel wrote:
Hi Francesco,
ok, thanks for the clarification. I was misled by the comment in SYNCOPE-132
"Introducing a special 'anonymous' user... distinct from actual unauthenticated user
that cannot now access any REST resource".
In fact, some API methods seem to be accessible both by the 'anonymous' user
and by an unauthenticated user.
Does the authenticated 'anonymous' user have some additional capabilities, or
are both ways of anonymous access pretty much
the same?
Just compare all controllers' method which are annotated via Spring
Security's @PreAuthorize:
* isAnonymous() (e.g. no authentication): 4 methods
*
hasRole(T(org.apache.syncope.common.SyncopeConstants).ANONYMOUS_ENTITLEMENT)
(e.g. authenticated as the anonymous user): 10 methods
* isAuthenticate() (e.g. any authenticated user, including the one
authenticated as anonymous): 13 methods
The general idea was to keep as less methods as public available to
unauthenticated users, as opposite as it used to be prior to SYNCOPE-132.
Hope this clarifies.
Regards.
Gesendet: Freitag, 06. Februar 2015 um 13:22 Uhr
Von: "Francesco Chicchiriccò" <ilgro...@apache.org>
An: dev@syncope.apache.org
Betreff: Re: disable Spring security anonymous authentication for REST API?
On 06/02/2015 12:51, Guido Wimmel wrote:
Hi,
if my observations are correct, it seems that Spring security anonymous
authentication
still seems to be enabled for the Syncope REST API.
See securityContext.xml:
<security:http security-context-repository-ref="securityContextRepository"
realm="Apache Syncope authentication">
<security:http-basic/>
<security:anonymous username="${anonymousUser}"/>
<security:intercept-url pattern="/**"/>
</security:http>
As far as I understand, since SYNCOPE-132 [1] this mechanism is not used
anymore by Syncope,
but instead a special 'anonymous' user was introduced.
Shouldn't it better be
<security:anonymous enabled="false"/> ?
Hi Guido,
the special anonymous user - which can now be configured, either for
username and for secret, is needed for several operations, as different
queries required by self-registration for example.
Please consider the difference between "no authentication is required",
e.g. unauthenticated and "anonymous authentication is required", e.g.
anonymous.
When logged as anonymous, the SyncopeUserDetailsService will only grant
the ANONYMOUS_ENTITLEMENT.
If one does not need anonymous operations, setting
<security:anonymous enabled="false"/>
as you suggest above is anyway an option.
Regards.
[1] https://issues.apache.org/jira/browse/SYNCOPE-132
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
