Currently Shiro does NOT allow for an anonymous user (i.e. principal == null) to have permissions. This makes things more challenging for applications that are base around permissions (i.e. WildCardPermission strings)
I feel like Shiro should support this kind of use case. And it would just add new flag to subject, along to existing:
- isAuthenticated (have principal and authenticated = true)
- isRemembered (have principal and authenticated = false)
- isAnonymous (have anonPrincipal and authenticated = false)
- isGuest (have nothing)
In the above case i think we should collapse the idea of anonymous and guess into one 'guest' to match other naming in the code base.
This also implies that Permission checking would be allowed if the subject does NOT have a principal: