Announcement Announcement Module
Collapse
No announcement yet.
Anonymous Authentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Anonymous Authentication

    I'm having trouble understanding the function of this filter. I consulted the reference material (http://acegisecurity.org/docbook/acegi.html) and i contains this explanation;

    Code:
    Particularly in the case of web request URI security, sometimes it is more 
    convenient to assign configuration attributes against every possible secure 
    object invocation. 
    Put differently, sometimes it is nice to say ROLE_SOMETHING is required by 
    default and only allow certain exceptions to this rule, such as for login, 
    logout and home pages of an application.
    The explanation above is not really making much sense to me. At the moment I'm running the acegi-sample-security-tutorial app. Anonymous authentication is present within this app. I dont understand how it fits in and what its supposed to be doing, from a user or developer point of view.

  • #2
    The idea is to assign roles even without login

    The general idea is to define a role like "ROLE_ANONYMOUS", and allow the Anonymous filter to grant that role in the event the user doesn't go through any authentication process.

    Then, you can use FilterSecurityInterceptor to define which pages "only" need anonymous access. If most of your web app is like that, then great. You only need to put the higher level access on the special pages, and have some type of ExceptionTranslationFilter reroute the user to a login page should they try to tap it.

    Comment


    • #3
      Originally posted by gregturn View Post
      The general idea is to define a role like "ROLE_ANONYMOUS", and allow the Anonymous filter to grant that role in the event the user doesn't go through any authentication process.

      Then, you can use FilterSecurityInterceptor to define which pages "only" need anonymous access. If most of your web app is like that, then great. You only need to put the higher level access on the special pages, and have some type of ExceptionTranslationFilter reroute the user to a login page should they try to tap it.
      Thanks for the explanation Greg. Makes sense now. I think what made me confused is the fact that I dont understand the need for this. Why do you need to define an anonymous role when simply defining a role means that anything other is already anonymous (as you have pointed out)?

      Comment


      • #4
        I think this is also a good usage of it. I know people that do exactly that to collect statistics.
        There are also other situations where anonymous authentication would be desired, such as when an auditing interceptor queries the SecurityContextHolder to identify which principal was responsible for a given operation. Such classes can be authored with more robustness if they know the SecurityContextHolder always contains an Authentication object, and never null.
        http://www.acegisecurity.org/docbook...html#anonymous

        Comment

        Working...
        X