I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.) from being made unless shindig.auth.updateSecurityToken has been called. If I enable secure tokens and I set the token to something in clear text, it denies the rpc requests as it should. Providing the encrypted token then works. However if I don¹t call updateSecurityToken at all then it uses the AnonymousSecurityToken and the call succeeds. I don¹t want this.
I tried setting shindig.allowUnauthenticated=false In shindig.properties thinking this would enforce this, it appears to be used inside on AnonymousSecurityToken. Ideas? Doug