At the present time, the only way to use anonymous users is to not supply a Credentials object in the Repository.login methods. We should have an AnonymousCredentials class in 'modeshape-jcr-api' that can be used by applications that prefer to have a Credentials object:

Session session = repository.login(new AnonymousCredentials());

This would be done today with:

Session session = repository.login();

or

Session session = repository.login(null,workspaceName);

Also, we should create a ServletCredentials implementation in 'modeshape-web-jcr' that could be used as follows:

HttpServletRequest request = ...
Session session = repository.login(new ServletCredentials(request));

This is a little easier than the current mechanism:

HttpServletRequest request = ...
SecurityContext securityContext = new ServletSecurityContext(request);
Session session = repository.login(new SecurityContextCredentials(securityContext));

This change would not break any existing application code, but merely provides alternatives that are slightly easier to use.