Hi Ralph!
Welcome to the Shiro community :)
We have certain areas where a registered user needs to be logged in
> (checkout, account section, etc.) and an area where everybody is allowed to
> access.
>
> So far, everything is working except for one aspect: In Spring security, we
> had a special user (anonymous customer) who is logged in automatically
This is one thing I never understood in Spring Security (and still don't
since I don't use it - I'd love for someone more knowledgeable than me to
clarify how this actually works - or what this really means - in SS).
In the security world, there is no such thing as 'anonymous
authentication'. Authentication is the process of *proving* you are who
you say you are. If you're anonymous, then you're not proving anything,
and thus you're not authenticating anything.
upon
> visiting any non-restricted area of the shop. This user has various
> properties and he can also place items in the shopping cart. After the
> login
> of the registered user (for the checkout), the existing cart is merged with
> a cart that may derive from a previous session and which has been saved for
> this user in the database.
>
> So my question is: how do I auto-login my anonymous customer so that this
> object is available as a principal via SecurityUtils when no registered
> user
> is remembered or logged in without really restricting anonymous access?
>
This is where I'm drawing a blank - are you saying that, if the end-user is
anonymous, then they should have some data (shopping car) associated with
them via the Subject? And then after you know their identity (either via
remember me or via authentication) that the data is then anonymous-usage
shopping cart is merged with the known-user shopping cart?
If so, isn't this what sessions are for? Can you store the anonymous-usage
shopping cart in their session (subject.getSession()), and then after they
log in, retrieve what is currently in there and then merge it with what is
stored, and then put that back in the session?
For example:
ShoppingCart existingCart =
(ShoppingCart)subject.getSession().getAttribute("shoppingCart");
//login:
String username = //get username
String password = //get password
subject.login(new UsernamePasswordToken(username, password));
//identity is known, look up any saved cart:
long userId = (Long)subject.getPrincipal();
ShoppingCart savedCart = shoppingCartStore.findByUserId(userId);
savedCart.putAll(existingCart);
subject.getSession().setAttribute("shoppingCart", savedCart);
Or, are you saying that when you call SecurityUtils.getSubject(), you want
this subject to automatically be populated with specific principals before
they login?
I apologize - it is not too clear to me what you are asking - I could very
well be misinterpreting your question!
Best,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
