shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan McKinley <>
Subject Authorization without Authentication?
Date Mon, 30 Mar 2009 14:14:44 GMT

I'm starting to grock how Ki is structured and who is responsible for  
what.  As mentioned, I am building an app where I want any user to be  
able to do anything until security is enabled then I want to check  
some configured Realm for authentication etc.

The key thing I realized is that I need to limit access based on  
"hasPermission" rather then "isInRole" -- this way an Authorizer could  
just return 'new AllPermission()'

I have a SecurityManager configured with a ModularRealmAuthorizer to  
grant all permissions:

     ArrayList<Realm> realms = new ArrayList<Realm>( 1 );
     realms.add( new FullAccessRealm() );
     ModularRealmAuthorizer authz = new  
ModularRealmAuthorizer( realms );
     sm.setAuthorizer( authz );

This seems to work fine *after* the user has authenticated, but I want  
this to work *before* they authenticate.

Any pointers?  Does Authorization only get called when Authentication  

Do I have to automatically authenticate with an 'anonomous' user  
account and then use that for Authorization?  If so, how to I  
automatically authenticate (so the user *never* sees a login box).

thank again
View raw message