Authenticated users mean the users who are logged in. Everyone means every user, whether they are logged in or not. So it's mostly your second point: playing with AI does not require an account, but a user must log in first if he or she wants to use other features like save/resume games.

rodthung wrote:

Do we have to further implement user validation for registration part ?

No. I removed the requirement from HW4 but forgot to add it back, which means you don't need to implement it any more.

hhuang30 wrote:

Two more points.

1. Can we customize default login page?

  for example, I want to add "registration" choice on the login page (/j_spring_security_check)

2. Right now we have two tables for authentication check "users" and "authorities", so if we want to create a new account, we not only have to insert a row to "users" table (UserDao), but also have to insert a row to "authorities" table, right?

Thanks in advance

 

1. Of course.

2. Yes. The easiest way to do this is to add a roles field to the User class, e.g.

You can map this field to the authorities table, and whenever a new user is registered, you can give the user a "ROLE_USER" or something. If you do it this way, you also need to provide a "authorities-by-username-query" to <jdbc-user-service> as your authorities table will be using user id as foreign key while the Spring Security default schema uses username as foreign key.