Henry,
Ya, even if I put the SocialApiGuiceModule before the PropertiesModule I
still see the constructor for AnonymousAuthenticationHandler getting
injected with the value of TRUE for allowUnauthenticated, even though I have
shindig.allowUnauthenticated=false
In my shindig.properties. Is this not what you were seeing?
doug
On 8/3/11 4:34 PM, "Henry Saputra" <henry.sapu...@gmail.com> wrote:
> Its happening in the code. See SocialApiGuiceModule class:
>
> public class SocialApiGuiceModule extends AbstractModule {
>
> /** {@inheritDoc} */
> @Override
> protected void configure() {
>
> bind(ParameterFetcher.class).annotatedWith(Names.named("DataServiceServlet"))
> .to(DataServiceServletFetcher.class);
>
> bind(Boolean.class)
>
> .annotatedWith(Names.named(AnonymousAuthenticationHandler.ALLOW_UNAUTHENTICATE
> D))
> .toInstance(Boolean.TRUE);
>
>
> Since the SocialApiGuiceModule is listed later than PropertiesModule,
> it overrides the binding of the shindig.allowUnauthenticated property.
>
> - Henry
>
> On Wed, Aug 3, 2011 at 12:51 PM, daviesd <davi...@oclc.org> wrote:
>> I¹m trying to figure out how to prohibit rpc calls (gadgets.metadata, etc.)
>> from being made unless shindig.auth.updateSecurityToken has been called. ?If
>> I enable secure tokens and I set the token to something in clear text, it
>> denies the rpc requests as it should. ?Providing the encrypted token then
>> works. ?However if I don¹t call updateSecurityToken at all then it uses the
>> AnonymousSecurityToken and the call succeeds. ?I don¹t want this.
>>
>> I tried setting
>>
>> shindig.allowUnauthenticated=false
>>
>> In shindig.properties thinking this would enforce this, it appears to be
>> used inside on AnonymousSecurityToken.
>>
>> Ideas?
>>
>> Doug
>>
>>
>
