Ah, I see now. The best way to do this would be to use a RealmFactory. The RealmFactory would generate a Realm based on some configuration.
So, in the localhost-only app, the RealmFactory would return a Realm that returns 'true' for every security check. In the single-account mode, you return a normal realm, its just doGetAuthenticationInfo would return that root user's principals and the 'AllPermission' (assuming the password was correct of course). The 3rd scenario is normal usage. This way, all of your security checks remain in place (as they should), and the results of those checks only change based on which realm is used. Are you using Spring? If so, this can very easily be achieved by a FactoryBean implementation. If not, you can do something like this: RealmFactory factory = //instantiate your specific realm factory - perhaps it reads a .properties file or system property to tell it what Realm to return. Collection<Realm> realms = factory.getRealms(); //in your case the collection would probably only have a single Realm based on the environment //non web environment: SecurityManager securityManager = new DefaultSecurityManager(); //or a web environment: securityManager = new DefaultWebSecurityManager(); securityManager.setRealms(realms); You can also declare your RealmFactory implementation in a ki.ini file (jsecurity.ini for 0.9.0), and it will be used to perform essentially what the above code is doing. Lemme know if this is enough to get you going, or if you'd like more suggestions. Cheers, Les On Mon, Mar 30, 2009 at 4:34 PM, Ryan McKinley <[email protected]> wrote: > the use case is that i have an application that is packaged in various > ways. > > In one case it is a localhost only app with *no* accounts -- not even the > concept of accounts (if you can get to the machine you can do anything) > In another it has a single "root" account. > In another it has configurable accounts. > > The goal is to write UI code targeted for the most complex cases, but > transparently work even in the absence of accounts. > > - - - - - - - > > How do people use Ki security to manage authorization for anonymous users? > How would I allow access to some features for users that come from one IP > address and block them for another? In some cases, don't even want to have > a log-in option. I'm wondering if there is an automatic way to give each > HTTP session/request a default subject (or something like that). > > The other option I see is to add a layer in between my app and Ki that > checks what mode it is in before resolving authorization. Perhaps this > makes more sense. > > ryan > > > > On Mar 30, 2009, at 4:04 PM, Les Hazlewood wrote: > > Ryan, I'm curious: why would you want such a policy? > > If you do this, then _any_ anonymous user could do really crazy things, > like change configuration, create/delete users, or anything else that could > be considered potentially 'dangerous' allowed by the application. This is > very odd from a security perspective. > > Instead, what is more common, is that you create at least a default 'root' > account that has one role and that role has the AllPermission assigned to > it. (or a WildcardPermission equal to "*"). If you're testing features > enabled/disabled, its easiest just to log in as 'root' rather than expose > your entire application... > > On Mon, Mar 30, 2009 at 2:42 PM, Ryan McKinley <[email protected]> wrote: > >> Ahhh -- that makes sense. >> >> ... slowly figuring how the pieces fit together.. >> >> thanks >> ryan >> >> >> On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote: >> >> Hey Ryan, >> How are you trying to check authorization of a user? Are you using the >> Subject interface or accessing the SecurityManager? >> >> If you use the Subject interface, it will not say you are authorized until >> after you've authenticated - since the Subject isn't associated with any >> principals until authentication takes place. >> >> However you should be able to perform authorization for a user without >> them being authenticated by accessing the SecurityManager directly. Simply >> call SecurityManager.isPermitted(PrincipalCollection, permissions), >> SecurityManager.hasRole(PrincipalCollection, role), etc. >> >> Jeremy >> >> >> On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote: >> >> Hello- >> I'm starting to grock how Ki is structured and who is responsible for >> what. As mentioned, I am building an app where I want any user to be able >> to do anything until security is enabled then I want to check some >> configured Realm for authentication etc. >> >> The key thing I realized is that I need to limit access based on >> "hasPermission" rather then "isInRole" -- this way an Authorizer could just >> return 'new AllPermission()' >> >> I have a SecurityManager configured with a ModularRealmAuthorizer to grant >> all permissions: >> >> ArrayList<Realm> realms = new ArrayList<Realm>( 1 ); >> realms.add( new FullAccessRealm() ); >> ModularRealmAuthorizer authz = new ModularRealmAuthorizer( realms ); >> sm.setAuthorizer( authz ); >> >> This seems to work fine *after* the user has authenticated, but I want >> this to work *before* they authenticate. >> >> Any pointers? Does Authorization only get called when >> Authentication succeeds? >> >> Do I have to automatically authenticate with an 'anonomous' user account >> and then use that for Authorization? If so, how to I automatically >> authenticate (so the user *never* sees a login box). >> >> thank again >> ryan >> >> >> >> > >
