shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Demers (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-526) Handle Anonymous / Guest user permissions.
Date Sun, 22 Feb 2015 18:58:11 GMT
Brian Demers created SHIRO-526:
----------------------------------

             Summary: Handle Anonymous / Guest user permissions.
                 Key: SHIRO-526
                 URL: https://issues.apache.org/jira/browse/SHIRO-526
             Project: Shiro
          Issue Type: Improvement
          Components: Authentication (log-in), Authorization (access control) 
            Reporter: Brian Demers
            Priority: Minor


From:

Currently Shiro does NOT allow for an anonymous user (i.e. principal == null) to have permissions.
 This makes things more challenging for applications that are base around permissions (i.e.
WildCardPermission strings)

From:
http://shiro-user.582556.n2.nabble.com/Can-anonymous-user-have-permissions-td7580431.html
{quote}
I feel like Shiro should support this kind of use case. And it would just add new flag to
subject, along to existing:
- isAuthenticated (have principal and authenticated = true)
- isRemembered (have principal and authenticated = false)
- isAnonymous (have anonPrincipal and authenticated = false)
- isGuest (have nothing)
{quote} 

In the above case i think we should collapse the idea of anonymous and guess into one 'guest'
to match other naming in the code base.

This also implies that Permission checking would be allowed if the subject does NOT have a
principal:
https://github.com/apache/shiro/blob/trunk/core/src/main/java/org/apache/shiro/subject/support/DelegatingSubject.java#L162



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message