Hi Bruno, while now thinking about it: If the role checking logic is accesible via the principal, than a guest principal is useful.
best regards Stephan > Hi Stephan, > > Stephan Koops wrote: > > Hi Bruno, > >> I think, in the context of wider refactorisation of authentication and > >> authorisation, that authentication should provided a Principal when a > >> client has been authenticated (and perhaps a default guest principal > >> when no one has, like jGuard does, but that's a different matter). > > why not use null as "guest principal"? What is the advantage of an > > object for it? > > I don't think it's very significant. I was simply referring to what > jGuard does: > http://jguard.xwiki.com/xwiki/bin/view/Doc/Faq#HAccessFilterautomaticallytriestologmeinas27guest27Whyshouldtherebea22default22userinjGuard3FIsn27tthatasecurityissue3F > > Best wishes, > > Bruno. _________________________________________________________________________ Sensationsangebot nur bis 30.11: WEB.DE FreeDSL - Telefonanschluss + DSL für nur 16,37 Euro/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K13805B7069a
