The Subject interface is basically a proxy to the SecurityManager that
knows "who it is". So it knows what principals are associated with
the Subject and provides convenience methods that when called actually
delegate to the SecurityManager behind the scenes.
Feel free to ask more questions if I can help clear anything up!
On Mar 30, 2009, at 2:42 PM, Ryan McKinley wrote:
Ahhh -- that makes sense.
... slowly figuring how the pieces fit together..
thanks
ryan
On Mar 30, 2009, at 2:24 PM, Jeremy Haile wrote:
Hey Ryan,
How are you trying to check authorization of a user? Are you using
the Subject interface or accessing the SecurityManager?
If you use the Subject interface, it will not say you are
authorized until after you've authenticated - since the Subject
isn't associated with any principals until authentication takes
place.
However you should be able to perform authorization for a user
without them being authenticated by accessing the SecurityManager
directly. Simply call
SecurityManager.isPermitted(PrincipalCollection, permissions),
SecurityManager.hasRole(PrincipalCollection, role), etc.
Jeremy
On Mar 30, 2009, at 10:14 AM, Ryan McKinley wrote:
Hello-
I'm starting to grock how Ki is structured and who is responsible
for what. As mentioned, I am building an app where I want any
user to be able to do anything until security is enabled then I
want to check some configured Realm for authentication etc.
The key thing I realized is that I need to limit access based on
"hasPermission" rather then "isInRole" -- this way an Authorizer
could just return 'new AllPermission()'
I have a SecurityManager configured with a ModularRealmAuthorizer
to grant all permissions:
ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
realms.add( new FullAccessRealm() );
ModularRealmAuthorizer authz = new
ModularRealmAuthorizer( realms );
sm.setAuthorizer( authz );
This seems to work fine *after* the user has authenticated, but I
want this to work *before* they authenticate.
Any pointers? Does Authorization only get called when
Authentication succeeds?
Do I have to automatically authenticate with an 'anonomous' user
account and then use that for Authorization? If so, how to I
automatically authenticate (so the user *never* sees a login box).
thank again
ryan
