Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-526

Handle Anonymous / Guest user permissions.

    XMLWordPrintableJSON

    Details

      Description

      From:

      Currently Shiro does NOT allow for an anonymous user (i.e. principal == null) to have permissions. This makes things more challenging for applications that are base around permissions (i.e. WildCardPermission strings)

      From:
      http://shiro-user.582556.n2.nabble.com/Can-anonymous-user-have-permissions-td7580431.html

      I feel like Shiro should support this kind of use case. And it would just add new flag to subject, along to existing:

      • isAuthenticated (have principal and authenticated = true)
      • isRemembered (have principal and authenticated = false)
      • isAnonymous (have anonPrincipal and authenticated = false)
      • isGuest (have nothing)

      In the above case i think we should collapse the idea of anonymous and guess into one 'guest' to match other naming in the code base.

      This also implies that Permission checking would be allowed if the subject does NOT have a principal:
      https://github.com/apache/shiro/blob/trunk/core/src/main/java/org/apache/shiro/subject/support/DelegatingSubject.java#L162

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bdemers Brian Demers
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: