(sorry not on same thread, could not get ezmlm to fetch me the right mail to reply to)
* * * Hey Toby, er i mean Brian :-) When building an anymous subject like you do here: https://github.com/bdemers/shiro/blob/anonymous-user-roles/samples/anonymous-user-roles/src/main/java/Quickstart.java#L130 How do we get this into the system? I don't think we want to subject.login() that user, but I'm wondering if we can/should simply ThreadContext.bind(subject) (and then unbind it on the way out)? Tamas tossed up this as an example: https://github.com/sonatype/nexus-oss/commit/ad1d703125ec1be1d0eae00492939d60de38a701#diff-c82a898a4ce4094080b2cb98d3567affR38 Will this work and property get the anonymous subject managed so that the rest of Shiros systems behave properly? Tamas had another example below it that does a login() but I don't think that is proper, as well as its much more expensive as it dives into shiro frameworks, not something we want to do on each request w/o authentication. This branch also has a special realm, but I'm not sure if that is actually needed or something like "n/a" for realm-name as you have in your example w/o a realm bound to that name is sufficient? And yes, generally we'd like to be able to have a way to grant _guest_ a set of roles/permissions but presently the shiro frameworks only can do this if a subject has a principal and a _guest_ is a subject w/o a principal. It may not matter however for our case, if you remember, we have to be able to allow the _anonymous_ username to be changed for some crazy reason, so we can not really use the _guest_ concept at all, but have to continue using an _anonymous_ (non-authenticated, non-remembered, non-logged-in) user. Part of the problems we had before (and/or currently) is we were _logging_ in that user so they became _authenticated_ which totally messed up some use of @RequiresAuthentication and other bits that one would expect w/o an authenticated user with proper credentials would not be allowed to get at. —jason
