Results 1 to 4 of 4

Thread: Anonymous Authentication

  1. Feb 27th, 2007, 08:06 AM #1
    jazman
    jazman is offline Senior Member
    Join Date
    Nov 2006
    Posts
    110

    Default Anonymous Authentication

    I'm having trouble understanding the function of this filter. I consulted the reference material (http://acegisecurity.org/docbook/acegi.html) and i contains this explanation;

    Code:
    Particularly in the case of web request URI security, sometimes it is more 
convenient to assign configuration attributes against every possible secure 
object invocation. 
Put differently, sometimes it is nice to say ROLE_SOMETHING is required by 
default and only allow certain exceptions to this rule, such as for login, 
logout and home pages of an application.
    The explanation above is not really making much sense to me. At the moment I'm running the acegi-sample-security-tutorial app. Anonymous authentication is present within this app. I dont understand how it fits in and what its supposed to be doing, from a user or developer point of view.
  2. Feb 27th, 2007, 09:40 AM #2
    gregturn
    gregturn is offline Senior Member
    Join Date
    Aug 2006
    Posts
    382

    Default The idea is to assign roles even without login

    The general idea is to define a role like "ROLE_ANONYMOUS", and allow the Anonymous filter to grant that role in the event the user doesn't go through any authentication process.

    Then, you can use FilterSecurityInterceptor to define which pages "only" need anonymous access. If most of your web app is like that, then great. You only need to put the higher level access on the special pages, and have some type of ExceptionTranslationFilter reroute the user to a login page should they try to tap it.
    Greg L. Turnquist (@gregturn), SpringSource/VMware
    Project Lead: Spring Python and author of Spring Python 1.1 and Python Testing Cookbook.
    Listen to Pond Jumpers, the international podcast for open source developers.
    These comments are my own personal opinions, and do not reflect those of my company.
  3. Feb 27th, 2007, 09:48 AM #3
    jazman
    jazman is offline Senior Member
    Join Date
    Nov 2006
    Posts
    110

    Default

    Quote Originally Posted by gregturn View Post
    The general idea is to define a role like "ROLE_ANONYMOUS", and allow the Anonymous filter to grant that role in the event the user doesn't go through any authentication process.

    Then, you can use FilterSecurityInterceptor to define which pages "only" need anonymous access. If most of your web app is like that, then great. You only need to put the higher level access on the special pages, and have some type of ExceptionTranslationFilter reroute the user to a login page should they try to tap it.
    Thanks for the explanation Greg. Makes sense now. I think what made me confused is the fact that I dont understand the need for this. Why do you need to define an anonymous role when simply defining a role means that anything other is already anonymous (as you have pointed out)?
  4. Feb 27th, 2007, 03:33 PM #4
    karldmoore
    karldmoore is offline Senior Member
    Join Date
    Sep 2006
    Location
    UK
    Posts
    8,424

    Default

    I think this is also a good usage of it. I know people that do exactly that to collect statistics.
    There are also other situations where anonymous authentication would be desired, such as when an auditing interceptor queries the SecurityContextHolder to identify which principal was responsible for a given operation. Such classes can be authored with more robustness if they know the SecurityContextHolder always contains an Authentication object, and never null.
    http://www.acegisecurity.org/docbook...html#anonymous
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules