shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jared Bunting <>
Subject Re: SHIRO-283 design: supporting both Form & BASIC authc simultaneously
Date Mon, 15 Aug 2011 17:51:07 GMT
On 08/15/2011 11:48 AM, Les Hazlewood wrote:
> It might also be helpful to think about this in a general sense,
> without being too coupled to Form + BASIC.
> I believe the problem we're trying to solve is:
> 1.  I don't care how my user is authenticated - just that they are
> authenticated.
> 2.  If they're not authenticated yet, I want them to be authenticated
> via one of X, Y or Z (or more) means.
> It might be better to come up with a mechanism for this rather than
> focusing on Form + BASIC details specifically (e.g. throw X.509 into
> the mix or something else).
I agree on coming up with a more general solution.  I feel like this
problem is a subset of another problem, and perhaps related to yet another.

3. At this particular filter level, I don't care if my user is

(I'm using AOP to do authorization in my application code, and there's a
decent chance that certain required permissions are assigned to the
anonymous-user or some functionality may not even have authorization

I'm all for a general solution, and something composition-oriented
sounds great.  I think what I'm interested in is separating the logic of
"authenticate" from "guarantee user is authenticated".


View raw message