Re: [Acegisecurity-developer] Anonymous principal support now in CVS
Matt Raible wrote: Is "ROLE_ANONYMOUS" a special key so that you don't have to add it to your user data store? If it has to be added, do all registered users have to have have this role assigned to them? I'm sure it works how I'd expect it to work, just want to clarify. It would be nice if this was possible: The actual GrantedAuthorty[]s assigned to the anonymous principal are defined by the filter: foobar anonymousUser,ROLE_ANONYMOUS The first parameter is the username, the rest are by default converted into GrantedAuthorityImpl()s. Because an AnonymousAuthenticationToken is generated by the AnonymousProcessingFilter, it is handled at an AuthenticationProvider level by AnonymousAuthenticationProvider. As such the username and GrantedAuthortiy[]s are not defined in any database at all. CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /*.jsp=ROLE_ANONYMOUS /*.html*=ROLE_USER Where anyone could browse *.jsp - whether they're logged in or not. And ROLE_ANONYMOUS doesn't have to exist in my "authorities" table. That FilterInvocationDefinitionSource would work just fine. As mentioned above, ROLE_ANONYMOUS (or whatever you you chose to call it) is not defined in any database. This approach allows the creation of a ROLE_ANONYMOUS as well as a separate ROLE_EVERYONE that might be assigned to both anonymous and authenticated users. Also, if people don't like this particular model, the AuthenticationTrustResolver interface allows them to make anonymous authentication work in some other way - but still retain compatibility with FilterSecurityInterceptor's special handling of AccesDeniedExceptions when an anonymous user is present. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Anonymous principal support now in CVS
Is "ROLE_ANONYMOUS" a special key so that you don't have to add it to your user data store? If it has to be added, do all registered users have to have have this role assigned to them? I'm sure it works how I'd expect it to work, just want to clarify. It would be nice if this was possible: CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /*.jsp=ROLE_ANONYMOUS /*.html*=ROLE_USER Where anyone could browse *.jsp - whether they're logged in or not. And ROLE_ANONYMOUS doesn't have to exist in my "authorities" table. Thanks, Matt On Feb 22, 2005, at 11:15 PM, Ben Alex wrote: There are unit tests and a section in the reference guide as usual. The new feature enables the ContextHolder to be populated with an AnonymousAuthenticationToken each time. This enables all web URIs to be protected, such as follows: CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ANONYMOUS,ROLE_USER /hello.htm=ROLE_ANONYMOUS,ROLE_USER /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER /acegilogin.jsp=ROLE_ANONYMOUS,ROLE_USER /**=ROLE_USER I believe this is more comprehensive than the workarounds that people had been using to date. There's also a new AuthenticationTrustResolver (and implementation) that contains a boolean isAnonymous(Authentication) method - in case your voters etc wish to take into account if a request is anonymous or from a real principal. Comments welcome. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Anonymous principal support now in CVS
There are unit tests and a section in the reference guide as usual. The new feature enables the ContextHolder to be populated with an AnonymousAuthenticationToken each time. This enables all web URIs to be protected, such as follows: CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ANONYMOUS,ROLE_USER /hello.htm=ROLE_ANONYMOUS,ROLE_USER /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER /acegilogin.jsp=ROLE_ANONYMOUS,ROLE_USER /**=ROLE_USER I believe this is more comprehensive than the workarounds that people had been using to date. There's also a new AuthenticationTrustResolver (and implementation) that contains a boolean isAnonymous(Authentication) method - in case your voters etc wish to take into account if a request is anonymous or from a real principal. Comments welcome. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
