Thanks for the reply!
I hadn't come across the "[permissive]" bit in the filter, but looking
through the code there it seems that it pretty much unconditionally allows
everything with this mapping. I added it to my setup, and also added the
Spring beans to my context that according to the Shiro docs are required to
make the annotations work. But it just doesn't work for me. Anonymous is
permitted to execute the methods protected with the annotation and no
password is requested.
Here's my security context now:
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="filterChainDefinitions">
<value>
/index.* = anon
/static/* = anon
/api/** = authcBasic[permissive]
</value>
</property>
</bean>
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm">
<bean class="org.apache.shiro.realm.text.PropertiesRealm">
<property name="resourcePath"
value="classpath:shiro-realm.properties"></property>
</bean>
</property>
</bean>
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
Is there something else I'm missing?
Best wishes,
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/REST-API-permissions-with-anonymous-usage-tp7579176p7579186.html
Sent from the Shiro User mailing list archive at Nabble.com.
