Inline: On Wed, Feb 11, 2015 at 10:06 PM, Jason Dillon <[email protected]> wrote:
> (sorry not on same thread, could not get ezmlm to fetch me the right mail > to reply to) > > * * * > > Hey Toby, er i mean Brian :-) > > When building an anymous subject like you do here: > > > https://github.com/bdemers/shiro/blob/anonymous-user-roles/samples/anonymous-user-roles/src/main/java/Quickstart.java#L130 > > How do we get this into the system? I don't think we want to > subject.login() that user, but I'm wondering if we can/should simply > ThreadContext.bind(subject) (and then unbind it on the way out)? > > Tamas tossed up this as an example: > > > https://github.com/sonatype/nexus-oss/commit/ad1d703125ec1be1d0eae00492939d60de38a701#diff-c82a898a4ce4094080b2cb98d3567affR38 > That should work, but it seems like a long way to go for something that _should_ just work. Another idea to consider, is just setting the default principal to 'anonymous' via a SubjectFactory https://github.com/bdemers/shiro/compare/bdemers:anonymous-user-roles...anon-take-2#diff-c592bbcd955d97db3e51216509533851R10 and then injecting that component: https://github.com/bdemers/shiro/compare/bdemers:anonymous-user-roles...anon-take-2#diff-0d740ecf6abf4b36742a10db24b7b8c7R28 (i'm not sure how this plays with the rememberMe functionality, but adding just adding this as a thought) > > Will this work and property get the anonymous subject managed so that the > rest of Shiros systems behave properly? Tamas had another example below it > that does a login() but I don't think that is proper, as well as its much > more expensive as it dives into shiro frameworks, not something we want to > do on each request w/o authentication. > > This branch also has a special realm, but I'm not sure if that is actually > needed or something like "n/a" for realm-name as you have in your example > w/o a realm bound to that name is sufficient? > Yeah, the anonymous realm would be a better way to deal with that, that way you could force this user to the anonymous realm (by making it first in your realm list) which means you would not need to worry about the odd case of a person trying to login with the 'anonymous' user and becoming authenticated. > > And yes, generally we'd like to be able to have a way to grant _guest_ a > set of roles/permissions but presently the shiro frameworks only can do > this if a subject has a principal and a _guest_ is a subject w/o a > principal. > I'd like to hear other thoughts on this, because I've banged my head on this before. I feel you should be able to assign roles/permissions to the _guest_ user, currently the only way to do this is to force a fake principal into the mix (and then you are no longer really a _guest_) > > It may not matter however for our case, if you remember, we have to be > able to allow the _anonymous_ username to be changed for some crazy reason, > so we can not really use the _guest_ concept at all, but have to continue > using an _anonymous_ (non-authenticated, non-remembered, non-logged-in) > user. > Yeah, in your case, that dated back to an old odd requirement (the idea was to allow the anonymous user's info to be pulled from an external source i.e. LDAP) > > Part of the problems we had before (and/or currently) is we were _logging_ > in that user so they became _authenticated_ which totally messed up some > use of @RequiresAuthentication and other bits that one would expect w/o an > authenticated user with proper credentials would not be allowed to get at. > +1 for trying to clean that up > > —jason >
