shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: rememberme doesn't work in sample web application
Date Tue, 03 Feb 2009 17:43:54 GMT
Hi Csaba,

The RemberMeManager will _not_ mark a Subject as authenticated.
Authentication is the act of proving you are who you say you are.  When a
user is remembered, the system has a good idea who the user is, but this is
not actual proof.

Please see this for an explanation of why:

http://www.jsecurity.org/api/org/jsecurity/authc/RememberMeAuthenticationToken.html

So you can be 'remembered', but not authenticated.  Authentication state is
only retained during the session when they actually authenticated.  If that
session is stopped or expired, so is their authentication status.

The JavaDoc above should explain why you should still see your name and have
roles and permission access, but still be required to log in if you try to
access a 'security sensitive' part of the application.

I hope that helps :)

Cheers,

Les

On Tue, Feb 3, 2009 at 10:19 AM, Csaba Nemeth <csaba_nemeth@yahoo.ca> wrote:

>
> Hi Les,
>
> I debugged the filter and rememberme manager.
> Probably I misunderstand something.
>
> Should the rememberme manager recreate the subject as authenticated user,
> or
> just validate the cookie content, recreate the subject with roles, but not
> mark it as authenticated?
>
> The information what the home page displays suggests that the user is valid
> (logged in) on server side - as it shows the username and roles. But than
> again it is a sample application.
>
> So the change needed in the sample app is to show the username in the login
> window that was displayed during a non-authenticated acccess to the
> protected 'account' page with a valid principal in the session, and perhaps
> display on the home page that the subject is not authenticated?
>
> Thanks,
> Csaba
>
>
> Les Hazlewood-2 wrote:
> >
> > Hi Csaba,
> >
> > It did work prior to 9.0 final, but there were some changes/moves with
> all
> > the sample applications that might cause it to fail.  There is currently
> a
> > Jira issue to ensure that all sample apps run successfully, as a sanity
> > check, before releasing 1.0.
> >
> > Of course, we'd love to have any contributions you might have that point
> > out
> > where something is failing!  I'm very appreciative of any feedback you
> may
> > have.
> >
> > Best,
> >
> > Les
> >
> > On Mon, Feb 2, 2009 at 5:05 PM, Csaba Nemeth <csaba_nemeth@yahoo.ca>
> > wrote:
> >
> >>
> >> As it looks like the sample web application should work with remember-me
> >> functionality by default.
> >>
> >> Here is what I try:
> >>  I click login
> >>  I select remember-me checkbox, enter username/password and successfully
> >> login
> >>  I can visit the 'account' page
> >>  I restart browser and visit home page, it looks like I am still logged
> >> in
> >>  when I try to access the 'account' page I am given a login page as if I
> >> wasn't logged in.
> >>
> >> Am I missing something?
> >> Shouldn't this work out of the box?
> >>
> >> I tried with 9.0 final and 1.0 snapshot - both work the same way.
> >>
> >> Thanks,
> >> Csaba
> >> --
> >> View this message in context:
> >>
> http://n2.nabble.com/rememberme-doesn%27t-work-in-sample-web-application-tp2260537p2260537.html
> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/rememberme-doesn%27t-work-in-sample-web-application-tp2260537p2263828.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>

Mime
View raw message