[08:23:56 CST(-0600)] <TonyUnicon> good morning Patty, did you schedule the meeting for today? I didn't get anything
[08:25:11 CST(-0600)] <Patty_> on the list of to-dos for this morning
[08:25:16 CST(-0600)] <Patty_> I will send here in a bit
[09:35:49 CST(-0600)] <TonyUnicon> good morning Dan, I have a question about the security stuff
[09:36:03 CST(-0600)] <TonyUnicon> for unauthenticated mode
[09:36:17 CST(-0600)] <dmccallum54> k
[09:36:19 CST(-0600)] <TonyUnicon> how do we allow these requests when a user is not signed in
[09:36:28 CST(-0600)] <TonyUnicon> is it possible?
[09:37:01 CST(-0600)] <dmccallum54> i think so. one sec.
[09:44:58 CST(-0600)] <TonyUnicon> also, what is the mvn goal to minify javascript? it does not seem to do it on install
[09:46:44 CST(-0600)] <dmccallum54> ok… security… there are a few different url spaces for mygps right… there's the fragment space (owned by the portal), there's the api space, and there's the portal-independent UI space
[09:48:07 CST(-0600)] <dmccallum54> for the fragment space, you're never going to be accessing that anonymously, right? you'd only be going that route if you've decided you need to authenticate and the portal needs somewhere to redirect you. so we might not need to do anything special there
[09:49:55 CST(-0600)] <dmccallum54> for the API space… i dont see any special interceptors configured for that space… which means security should depend entirely on method-level annotations. so i think we'd just need to go through those and figure out which ones can/should be accessible anonymously
[09:51:25 CST(-0600)] <dmccallum54> for those that can be accessed anonymously, i think the annotation would be a spring EL expression that allows either authenticated or anonymous users… i'd just have to experiment to figure out exactly what works
[09:53:15 CST(-0600)] <dmccallum54> if GPS needs to access other, existing SSP API URLs which have already been locked down and dont allow anonymous access then we probably need to double check with russ on whether we can just throw those APIs open or if we need to concoct a GPS-only flavor of those APIs that only expose the "non-sensitive bits"