Mailing-List: contact user-help@shiro.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@shiro.apache.org
Received-SPF: pass (athena.apache.org: domain of jason.dillon@gmail.com
 designates 209.85.216.51 as permitted sender)
Date: Thu, 12 Feb 2015 21:11:29 -0800
From: Jason Dillon <jason.dillon@gmail.com>
To: user@shiro.apache.org, Brian Demers <brian.demers@gmail.com>
Message-ID: <etPan.54dd8782.6fbf29cb.1b5@Lust.local>
In-Reply-To: 
 <CAH9eYVrWa0a+zCSxeNkZ6L8QHTemL9GbyVfypR-C9Wt5ZSRR8A@mail.gmail.com>
References: <etPan.54dc18c2.53e31a24.1b5@Lust.local>
 <CAH9eYVrWa0a+zCSxeNkZ6L8QHTemL9GbyVfypR-C9Wt5ZSRR8A@mail.gmail.com>
Subject: Re: Can anonymous user have permissions?
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="54dd8782_550b8808_1b5"

--54dd8782_550b8808_1b5
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Tamas tossed up this as an example:

https://github.com/sonatype/nexus-oss/commit/ad1d703125ec1be1d0eae0049293=
9d60de38a701=23diff-c82a898a4ce4094080b2cb98d3567affR38

That should work, but it seems like a long way to go for something that =5F=
should=5F just work.
Another idea to consider, is just setting the default principal to 'anony=
mous' via a Subject=46actory

https://github.com/bdemers/shiro/compare/bdemers:anonymous-user-roles...a=
non-take-2=23diff-c592bbcd955d97db3e51216509533851R10

and then injecting that component:=C2=A0https://github.com/bdemers/shiro/=
compare/bdemers:anonymous-user-roles...anon-take-2=23diff-0d740ecf6abf4b3=
6742a10db24b7b8c7R28

(i'm not sure how this plays with the rememberMe functionality, but addin=
g just adding this as a thought)
=46TR I had no idea there was a DefaultSubject=46actory. =C2=A0I think ho=
wever since that might be global, that a filter in this case may be bette=
r, but have to think about it more now that I realize there is a feature =
to set the default subject via factory.


Will this work and property get the anonymous subject managed so that the=
 rest of Shiros systems behave properly=3F=C2=A0 Tamas had another exampl=
e below it that does a login() but I don't think that is proper, as well =
as its much more expensive as it dives into shiro frameworks, not somethi=
ng we want to do on each request w/o authentication.

This branch also has a special realm, but I'm not sure if that is actuall=
y needed or something like =22n/a=22 for realm-name as you have in your e=
xample w/o a realm bound to that name is sufficient=3F

Yeah, the anonymous realm would be a better way to deal with that, that w=
ay you could force this user to the anonymous realm (by making it first i=
n your realm list) which means you would not need to worry about the odd =
case of a person trying to login with the 'anonymous' user and becoming a=
uthenticated.
Anonymous realm seems to also provide easy way to shut off anonymous, ano=
ther requirement/use-case we have.


And yes, generally we'd like to be able to have a way to grant =5Fguest=5F=
 a set of roles/permissions but presently the shiro frameworks only can d=
o this if a subject has a principal and a =5Fguest=5F is a subject w/o a =
principal.

I'd like to hear other thoughts on this, because I've banged my head on t=
his before.=C2=A0 I feel you should be able to assign roles/permissions t=
o the =5Fguest=5F user, currently the only way to do this is to force a f=
ake principal into the mix (and then you are no longer really a =5Fguest=5F=
)
Ya, it would be nice if the default delegating impl had some means to say=
 give me the permissions for =5Fguest=5F user. =C2=A0I think we could bui=
ld that ourselves, but it seems like something missing from the core fram=
ework. =C2=A0Would be easier if the delegating took the subject instead o=
f the the subject.principal, and left that detail up to the securitymanag=
er impl.


It may not matter however for our case, if you remember, we have to be ab=
le to allow the =5Fanonymous=5F username to be changed for some crazy rea=
son, so we can not really use the =5Fguest=5F concept at all, but have to=
 continue using an =5Fanonymous=5F (non-authenticated, non-remembered, no=
n-logged-in) user.

Yeah, in your case, that dated back to an old odd requirement (the idea w=
as to allow the anonymous user's info to be pulled from an external sourc=
e i.e. LDAP)
Yar, we can=E2=80=99t even fully remember the details except for somethin=
g like =E2=80=9Cif you use active-directory the =5Fanonymous=5F user is c=
alled =5Fguest=5F. =C2=A0But I think we are on a path now to make this wo=
rk in a simpler fashion, removing the subject.login() should really help.=


I think though that shiro could really do with some proper api around is =
subject.Guest() or subject.isAnonymous() =C2=A0(pick one they mean basica=
lly the same thing), vs. assuming subject.principal=3Dnull implies this a=
nd has no permissions. =C2=A0Many use-cases I think to want to use the pe=
rmission system to allow folks who are anonymous/guest to have access. =C2=
=A0Certainly we have these use-cases. =C2=A0Needing to force in a fake no=
n-authenticated user complicates things, and voids some of the use of =40=
RequireGuest apis.

ATM if we progress we can=E2=80=99t use Shiro concept of =5Fguest=5F at a=
ll. =C2=A0And would have to re-implement =40RequiresGuest and =40Requires=
User to be aware of this special subject.principal=3D<anonymous>. =C2=A0 =
Its do able, and we=E2=80=99ll likely move forward to to this. =C2=A0But =
the framework itself IMO should cope with this edge-case, which isn=E2=80=
=99t limited to use if you ask google.

=C2=A0* * *

=46TR, shiro is very simple if you use it as explained in the limited exa=
mples, but as soon as you get off the path, its vastly complex and hard t=
o comprehend.

Anyways, we may need more input from you guys and I appreciate the respon=
se with details. =C2=A0If there is anything we can contribute back, of co=
urse, we=E2=80=99ll be more than happy to do so=E2=80=A6 but I think this=
 specific issues is a core design limitation to the framework/api that ca=
n as-is only be worked around at present.

=E2=80=94jason
--54dd8782_550b8808_1b5
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html><head><style>body=7Bfont-family:Helvetica,Arial;font-size:13px=7D</=
style></head><body style=3D=22word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space;=22><div><blockquote type=3D=22=
cite=22 class=3D=22clean=5Fbq=22 style=3D=22color: rgb(0, 0, 0); font-fam=
ily: Helvetica, Arial; font-size: 13px; font-style: normal; font-variant:=
 normal; font-weight: normal; letter-spacing: normal; line-height: normal=
; orphans: auto; text-align: start; text-indent: 0px; text-transform: non=
e; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-str=
oke-width: 0px;=22><span><div dir=3D=22ltr=22><div class=3D=22gmail=5Fext=
ra=22><div class=3D=22gmail=5Fquote=22><blockquote class=3D=22gmail=5Fquo=
te=22 style=3D=22margin: 0px 0px 0px 0.8ex; border-left-width: 1px; borde=
r-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left:=
 1ex;=22><div style=3D=22word-wrap: break-word;=22><div><div>Tamas tossed=
 up this as an example:</div><div><br></div><div><a href=3D=22https://git=
hub.com/sonatype/nexus-oss/commit/ad1d703125ec1be1d0eae00492939d60de38a70=
1=23diff-c82a898a4ce4094080b2cb98d3567affR38=22 target=3D=22=5Fblank=22>h=
ttps://github.com/sonatype/nexus-oss/commit/ad1d703125ec1be1d0eae00492939=
d60de38a701=23diff-c82a898a4ce4094080b2cb98d3567affR38</a></div></div></d=
iv></blockquote><div><br></div><div>That should work, but it seems like a=
 long way to go for something that =5Fshould=5F just work.</div><div>Anot=
her idea to consider, is just setting the default principal to 'anonymous=
' via a Subject=46actory</div><div><br></div><div><a href=3D=22https://gi=
thub.com/bdemers/shiro/compare/bdemers:anonymous-user-roles...anon-take-2=
=23diff-c592bbcd955d97db3e51216509533851R10=22>https://github.com/bdemers=
/shiro/compare/bdemers:anonymous-user-roles...anon-take-2=23diff-c592bbcd=
955d97db3e51216509533851R10</a><br></div><div><br></div><div>and then inj=
ecting that component:&nbsp;<a href=3D=22https://github.com/bdemers/shiro=
/compare/bdemers:anonymous-user-roles...anon-take-2=23diff-0d740ecf6abf4b=
36742a10db24b7b8c7R28=22>https://github.com/bdemers/shiro/compare/bdemers=
:anonymous-user-roles...anon-take-2=23diff-0d740ecf6abf4b36742a10db24b7b8=
c7R28</a></div><div><br></div><div>(i'm not sure how this plays with the =
rememberMe functionality, but adding just adding this as a thought)</div>=
</div></div></div></span></blockquote></div><p>=46TR I had no idea there =
was a DefaultSubject=46actory. &nbsp;I think however since that might be =
global, that a filter in this case may be better, but have to think about=
 it more now that I realize there is a feature to set the default subject=
 via factory.</p><p><br></p><div><div><blockquote type=3D=22cite=22 class=
=3D=22clean=5Fbq=22 style=3D=22color: rgb(0, 0, 0); font-family: Helvetic=
a, Arial; font-size: 13px; font-style: normal; font-variant: normal; font=
-weight: normal; letter-spacing: normal; line-height: normal; orphans: au=
to; text-align: start; text-indent: 0px; text-transform: none; white-spac=
e: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0p=
x;=22><span><div dir=3D=22ltr=22><div class=3D=22gmail=5Fextra=22><div cl=
ass=3D=22gmail=5Fquote=22><blockquote class=3D=22gmail=5Fquote=22 style=3D=
=22margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: =
rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;=22><div =
style=3D=22word-wrap: break-word;=22><div>Will this work and property get=
 the anonymous subject managed so that the rest of Shiros systems behave =
properly=3F&nbsp; Tamas had another example below it that does a login() =
but I don't think that is proper, as well as its much more expensive as i=
t dives into shiro frameworks, not something we want to do on each reques=
t w/o authentication.</div><div><br></div><div>This branch also has a spe=
cial realm, but I'm not sure if that is actually needed or something like=
 =22n/a=22 for realm-name as you have in your example w/o a realm bound t=
o that name is sufficient=3F</div></div></blockquote><div><br></div><div>=
Yeah, the anonymous realm would be a better way to deal with that, that w=
ay you could force this user to the anonymous realm (by making it first i=
n your realm list) which means you would not need to worry about the odd =
case of a person trying to login with the 'anonymous' user and becoming a=
uthenticated.</div></div></div></div></span></blockquote></div><p>Anonymo=
us realm seems to also provide easy way to shut off anonymous, another re=
quirement/use-case we have.</p><p><br></p><div><div><blockquote type=3D=22=
cite=22 class=3D=22clean=5Fbq=22 style=3D=22color: rgb(0, 0, 0); font-fam=
ily: Helvetica, Arial; font-size: 13px; font-style: normal; font-variant:=
 normal; font-weight: normal; letter-spacing: normal; line-height: normal=
; orphans: auto; text-align: start; text-indent: 0px; text-transform: non=
e; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-str=
oke-width: 0px;=22><span><div dir=3D=22ltr=22><div class=3D=22gmail=5Fext=
ra=22><div class=3D=22gmail=5Fquote=22><blockquote class=3D=22gmail=5Fquo=
te=22 style=3D=22margin: 0px 0px 0px 0.8ex; border-left-width: 1px; borde=
r-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left:=
 1ex;=22><div style=3D=22word-wrap: break-word;=22><div><div>And yes, gen=
erally we'd like to be able to have a way to grant =5Fguest=5F a set of r=
oles/permissions but presently the shiro frameworks only can do this if a=
 subject has a principal and a =5Fguest=5F is a subject w/o a principal.<=
/div></div></div></blockquote><div><br></div><div>I'd like to hear other =
thoughts on this, because I've banged my head on this before.&nbsp; I fee=
l you should be able to assign roles/permissions to the =5Fguest=5F user,=
 currently the only way to do this is to force a fake principal into the =
mix (and then you are no longer really a =5Fguest=5F)</div></div></div></=
div></span></blockquote></div><p>Ya, it would be nice if the default dele=
gating impl had some means to say give me the permissions for =5Fguest=5F=
 user. &nbsp;I think we could build that ourselves, but it seems like som=
ething missing from the core framework. &nbsp;Would be easier if the dele=
gating took the subject instead of the the subject.principal, and left th=
at detail up to the securitymanager impl.</p><p><br></p><div><div><blockq=
uote type=3D=22cite=22 class=3D=22clean=5Fbq=22 style=3D=22color: rgb(0, =
0, 0); font-family: Helvetica, Arial; font-size: 13px; font-style: normal=
; font-variant: normal; font-weight: normal; letter-spacing: normal; line=
-height: normal; orphans: auto; text-align: start; text-indent: 0px; text=
-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -=
webkit-text-stroke-width: 0px;=22><span><div dir=3D=22ltr=22><div class=3D=
=22gmail=5Fextra=22><div class=3D=22gmail=5Fquote=22><blockquote class=3D=
=22gmail=5Fquote=22 style=3D=22margin: 0px 0px 0px 0.8ex; border-left-wid=
th: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid;=
 padding-left: 1ex;=22><div style=3D=22word-wrap: break-word;=22><div><di=
v>It may not matter however for our case, if you remember, we have to be =
able to allow the =5Fanonymous=5F username to be changed for some crazy r=
eason, so we can not really use the =5Fguest=5F concept at all, but have =
to continue using an =5Fanonymous=5F (non-authenticated, non-remembered, =
non-logged-in) user.</div></div></div></blockquote><div><br></div><div>Ye=
ah, in your case, that dated back to an old odd requirement (the idea was=
 to allow the anonymous user's info to be pulled from an external source =
i.e. LDAP)</div></div></div></div></span></blockquote></div><p>Yar, we ca=
n=E2=80=99t even fully remember the details except for something like =E2=
=80=9Cif you use active-directory the =5Fanonymous=5F user is called =5Fg=
uest=5F. &nbsp;But I think we are on a path now to make this work in a si=
mpler fashion, removing the subject.login() should really help.</p><p>I t=
hink though that shiro could really do with some proper api around is sub=
ject.Guest() or subject.isAnonymous() &nbsp;(pick one they mean basically=
 the same thing), vs. assuming subject.principal=3Dnull implies this and =
has no permissions. &nbsp;Many use-cases I think to want to use the permi=
ssion system to allow folks who are anonymous/guest to have access. &nbsp=
;Certainly we have these use-cases. &nbsp;Needing to force in a fake non-=
authenticated user complicates things, and voids some of the use of =40Re=
quireGuest apis.</p><p>ATM if we progress we can=E2=80=99t use Shiro conc=
ept of =5Fguest=5F at all. &nbsp;And would have to re-implement =40Requir=
esGuest and =40RequiresUser to be aware of this special subject.principal=
=3D&lt;anonymous&gt;. &nbsp; Its do able, and we=E2=80=99ll likely move f=
orward to to this. &nbsp;But the framework itself IMO should cope with th=
is edge-case, which isn=E2=80=99t limited to use if you ask google.</p><p=
>&nbsp;* * *</p><p>=46TR, shiro is very simple if you use it as explained=
 in the limited examples, but as soon as you get off the path, its vastly=
 complex and hard to comprehend.</p><p>Anyways, we may need more input fr=
om you guys and I appreciate the response with details. &nbsp;If there is=
 anything we can contribute back, of course, we=E2=80=99ll be more than h=
appy to do so=E2=80=A6 but I think this specific issues is a core design =
limitation to the framework/api that can as-is only be worked around at p=
resent.</p><p>=E2=80=94jason</p></div></div></div></body></html>
--54dd8782_550b8808_1b5--