Ryan, I'm curious: why would you want such a policy? If you do this, then _any_ anonymous user could do really crazy things, like change configuration, create/delete users, or anything else that could be considered potentially 'dangerous' allowed by the application. This is very odd from a security perspective.
Instead, what is more common, is that you create at least a default 'root' account that has one role and that role has the AllPermission assigned to it. (or a WildcardPermission equal to "*"). If you're testing features enabled/disabled, its easiest just to log in as 'root' rather than expose your entire application... On Mon, Mar 30, 2009 at 2:42 PM, Ryan McKinley <[email protected]> wrote: > Ahhh -- that makes sense. > > ... slowly figuring how the pieces fit together.. > > thanks > ryan > > > On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote: > > Hey Ryan, > How are you trying to check authorization of a user? Are you using the > Subject interface or accessing the SecurityManager? > > If you use the Subject interface, it will not say you are authorized until > after you've authenticated - since the Subject isn't associated with any > principals until authentication takes place. > > However you should be able to perform authorization for a user without them > being authenticated by accessing the SecurityManager directly. Simply call > SecurityManager.isPermitted(PrincipalCollection, permissions), > SecurityManager.hasRole(PrincipalCollection, role), etc. > > Jeremy > > > On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote: > > Hello- > I'm starting to grock how Ki is structured and who is responsible for what. > As mentioned, I am building an app where I want any user to be able to do > anything until security is enabled then I want to check some configured > Realm for authentication etc. > > The key thing I realized is that I need to limit access based on > "hasPermission" rather then "isInRole" -- this way an Authorizer could just > return 'new AllPermission()' > > I have a SecurityManager configured with a ModularRealmAuthorizer to grant > all permissions: > > ArrayList<Realm> realms = new ArrayList<Realm>( 1 ); > realms.add( new FullAccessRealm() ); > ModularRealmAuthorizer authz = new ModularRealmAuthorizer( realms ); > sm.setAuthorizer( authz ); > > This seems to work fine *after* the user has authenticated, but I want this > to work *before* they authenticate. > > Any pointers? Does Authorization only get called when > Authentication succeeds? > > Do I have to automatically authenticate with an 'anonomous' user account > and then use that for Authorization? If so, how to I automatically > authenticate (so the user *never* sees a login box). > > thank again > ryan > > > >
