shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kalle Korhonen <>
Subject Rememberme vs authentication
Date Tue, 16 Jun 2009 05:36:13 GMT
Shiro makes this artificial, strong separation between rememberme and
authentication. In the javadocs for RememberMeAuthenticationToken
it is said that "Authentication is the process of proving you are who
you say you are". It is stated that rememberme is not considered an
authentication and implied that only using username/password can be
used for an "actual authentication". However, in practice there's no
way to know that whoever supplied the password is who they say they
are and passwords are generally not considered the strongest form of
authentication. Shiro's default rememberme implementation results in
no or very weak authentication, but there are alternatives that
results in stronger form of key-based authentication. Private/public
keys are often considered equally strong authentication to
username/password and for remember me, using rolling tokens (as
described for example at
makes remembering the identity a much more secure process.

I've implemented rolling token-based remember cookies with Acegi in
the past, and now I'd like to do the same with Shiro. Considering the
view Shiro takes to rememberme, I wonder if it would make more sense
to implement a custom RememberMeManager or a custom authentication
filter for it. Current implementation doesn't allow you to authorize
the principal for anything when rememberMe is used, but I might like
to grant weaker roles to user that has been identified/authenticated
with a rolling token. I didn't find any built-in support for this type
of authentication so I'd also be interested in reviewing and possibly
reusing any existing code if somebody has already implemented
something like what I have in mind.


View raw message