Ahhh -- that makes sense.
... slowly figuring how the pieces fit together..
thanks
ryan
On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
Hey Ryan,
How are you trying to check authorization of a user? Are you using
the Subject interface or accessing the SecurityManager?
If you use the Subject interface, it will not say you are authorized
until after you've authenticated - since the Subject isn't
associated with any principals until authentication takes place.
However you should be able to perform authorization for a user
without them being authenticated by accessing the SecurityManager
directly. Simply call
SecurityManager.isPermitted(PrincipalCollection, permissions),
SecurityManager.hasRole(PrincipalCollection, role), etc.
Jeremy
On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
Hello-
I'm starting to grock how Ki is structured and who is responsible
for what. As mentioned, I am building an app where I want any user
to be able to do anything until security is enabled then I want to
check some configured Realm for authentication etc.
The key thing I realized is that I need to limit access based on
"hasPermission" rather then "isInRole" -- this way an Authorizer
could just return 'new AllPermission()'
I have a SecurityManager configured with a ModularRealmAuthorizer
to grant all permissions:
ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
realms.add( new FullAccessRealm() );
ModularRealmAuthorizer authz = new
ModularRealmAuthorizer( realms );
sm.setAuthorizer( authz );
This seems to work fine *after* the user has authenticated, but I
want this to work *before* they authenticate.
Any pointers? Does Authorization only get called when
Authentication succeeds?
Do I have to automatically authenticate with an 'anonomous' user
account and then use that for Authorization? If so, how to I
automatically authenticate (so the user *never* sees a login box).
thank again
ryan
