The idea of the UnauthorizedException is that they are unauthorized to execute that method and not to reflect the fact that authorization failed due to them being unauthenticated.
But it should not fail if the user is not remembered or authenticated. Authorization is orthogonal to authentication and either should work independently of the other. For example, you can be remembered, at which point the system has enough identity information to perform authorization checks, and so those checks should generally be allowed to execute. If a developer wants to be safe and ensure that the user is validly authenticated (such as to allow them to edit credit card information, etc), then the @RequiresAuthentication annotation should additionally be used. On Fri, Feb 26, 2010 at 8:26 AM, Peter Ledbrook <[email protected]> wrote: > Hi, > > At the moment, @RequiresRoles and @RequiresPermissions result in > UnauthorizedExceptions being thrown if the user is not remembered or > authenticated. Should they not be throwing UnauthenticatedExceptions > in this case? > > Also, how do you configure the application via annotations to require > authenticated users for the role and permission checks? > > Thanks, > > Peter >
