Hi Francesco,
fine, thanks for the clarification.
Cheers,
Guido
On 06.02.2015 16:46, Francesco Chicchiriccò wrote:
On 06/02/2015 14:56, Guido Wimmel wrote:
Hi Francesco,
ok, thanks for the clarification. I was misled by the comment in
SYNCOPE-132
"Introducing a special 'anonymous' user... distinct from actual
unauthenticated user that cannot now access any REST resource".
In fact, some API methods seem to be accessible both by the
'anonymous' user and by an unauthenticated user.
Does the authenticated 'anonymous' user have some additional
capabilities, or are both ways of anonymous access pretty much
the same?
Just compare all controllers' method which are annotated via Spring
Security's @PreAuthorize:
* isAnonymous() (e.g. no authentication): 4 methods
*
hasRole(T(org.apache.syncope.common.SyncopeConstants).ANONYMOUS_ENTITLEMENT)
(e.g. authenticated as the anonymous user): 10 methods
* isAuthenticate() (e.g. any authenticated user, including the one
authenticated as anonymous): 13 methods
The general idea was to keep as less methods as public available to
unauthenticated users, as opposite as it used to be prior to SYNCOPE-132.
Hope this clarifies.
Regards.
Gesendet: Freitag, 06. Februar 2015 um 13:22 Uhr
Von: "Francesco Chicchiriccò" <ilgro...@apache.org>
An: dev@syncope.apache.org
Betreff: Re: disable Spring security anonymous authentication for
REST API?
On 06/02/2015 12:51, Guido Wimmel wrote:
Hi,
if my observations are correct, it seems that Spring security
anonymous authentication
still seems to be enabled for the Syncope REST API.
See securityContext.xml:
<security:http
security-context-repository-ref="securityContextRepository"
realm="Apache Syncope authentication">
<security:http-basic/>
<security:anonymous username="${anonymousUser}"/>
<security:intercept-url pattern="/**"/>
</security:http>
As far as I understand, since SYNCOPE-132 [1] this mechanism is not
used anymore by Syncope,
but instead a special 'anonymous' user was introduced.
Shouldn't it better be
<security:anonymous enabled="false"/> ?
Hi Guido,
the special anonymous user - which can now be configured, either for
username and for secret, is needed for several operations, as different
queries required by self-registration for example.
Please consider the difference between "no authentication is required",
e.g. unauthenticated and "anonymous authentication is required", e.g.
anonymous.
When logged as anonymous, the SyncopeUserDetailsService will only grant
the ANONYMOUS_ENTITLEMENT.
If one does not need anonymous operations, setting
<security:anonymous enabled="false"/>
as you suggest above is anyway an option.
Regards.
[1] https://issues.apache.org/jira/browse/SYNCOPE-132
