[SHIRO-526] Handle Anonymous / Guest user permissions. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Authentication (log-in), Authorization (access control)
Labels:
None

Description

From:

Currently Shiro does NOT allow for an anonymous user (i.e. principal == null) to have permissions. This makes things more challenging for applications that are base around permissions (i.e. WildCardPermission strings)

From:
http://shiro-user.582556.n2.nabble.com/Can-anonymous-user-have-permissions-td7580431.html

I feel like Shiro should support this kind of use case. And it would just add new flag to subject, along to existing:

isAuthenticated (have principal and authenticated = true)

isRemembered (have principal and authenticated = false)

isAnonymous (have anonPrincipal and authenticated = false)

isGuest (have nothing)

In the above case i think we should collapse the idea of anonymous and guess into one 'guest' to match other naming in the code base.

This also implies that Permission checking would be allowed if the subject does NOT have a principal:
https://github.com/apache/shiro/blob/trunk/core/src/main/java/org/apache/shiro/subject/support/DelegatingSubject.java#L162

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Brian Demers

Votes:: 3 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 22/Feb/15 18:57

Updated:: 22/Feb/15 18:57