We currently have an impedence mismatch between the visibility of api's and the granularity of auth. In particular the introspective aspects of the REST/RPC APIs such as system.listMethods of /people/@supportedFields shouldnt require oauth to access. We are in an intermediate state where we can't define auth at the handler method level though its on my plate to do. In the meantime if you dont want to enable anonymous auth you can bind and implement your own RpcServiceLookup implementation which doesnt require auth to return the list of methods.
On Wed, May 6, 2009 at 4:28 PM, Jordan Zimmerman <[email protected]> wrote: > >Do you bind AnonymousAuthenticationHandler ? > > I have my own authentication handler and I don't want to allow anonymous > (as a general rule). I guess I can add a check in there for > "method=system.listMethods" and return anonymous but it seems clumsy to > me. > > Jordan Zimmerman > Principal Software Architect > 831.647.4712 > 831.214.2990 (cell) > [email protected] > > SHOP*COMTM > Shop Smart, Save Big(tm) > www.shop.com > > > -----Original Message----- > From: Louis Ryan [mailto:[email protected]] > Sent: Wednesday, May 06, 2009 4:24 PM > To: [email protected] > Subject: Re: /rpc?method=system.listMethods > > Do you bind AnonymousAuthenticationHandler ? > > On Wed, May 6, 2009 at 4:20 PM, Jordan Zimmerman <[email protected]> > wrote: > > > >It doesn't pass a > > >security token as its not really trying to auth on behalf of any > given > > >user, and in truth system.listMethods should require no auth. > > > > The problem is that the AuthenticationServletFilter gets called and, > in > > turn, calls getSecurityTokenFromRequest(). Without the "st" my > container > > code can't generate the token. > > > > Jordan Zimmerman > > Principal Software Architect > > 831.647.4712 > > 831.214.2990 (cell) > > [email protected] > > > > SHOP*COMTM > > Shop Smart, Save Big(tm) > > www.shop.com > > > > This message (including any attachments) is intended only for > > the use of the individual or entity to which it is addressed and > > may contain information that is non-public, proprietary, > > privileged, confidential, and exempt from disclosure under > > applicable law or may constitute as attorney work product. > > If you are not the intended recipient, you are hereby notified > > that any use, dissemination, distribution, or copying of this > > communication is strictly prohibited. If you have received this > > communication in error, notify us immediately by telephone and > > (i) destroy this message if a facsimile or (ii) delete this > > message > > immediately if this is an electronic communication. > > > > Thank you. > > > > This message (including any attachments) is intended only for > the use of the individual or entity to which it is addressed and > may contain information that is non-public, proprietary, > privileged, confidential, and exempt from disclosure under > applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified > that any use, dissemination, distribution, or copying of this > communication is strictly prohibited. If you have received this > communication in error, notify us immediately by telephone and > (i) destroy this message if a facsimile or (ii) delete this > message > immediately if this is an electronic communication. > > Thank you. >
