Author: bdemers
Date: Tue Nov 22 15:07:30 2016
New Revision: 1770852
URL: http://svn.apache.org/viewvc?rev=1770852&view=rev
Log:
Update java-authentication-guide.md.vtl
Modified:
shiro/site/publish/java-authentication-guide.html
Modified: shiro/site/publish/java-authentication-guide.html
URL:
http://svn.apache.org/viewvc/shiro/site/publish/java-authentication-guide.html?rev=1770852&r1=1770851&r2=1770852&view=diff
==============================================================================
--- shiro/site/publish/java-authentication-guide.html (original)
+++ shiro/site/publish/java-authentication-guide.html Tue Nov 22 15:07:30 2016
@@ -316,7 +316,7 @@ currentUser.login(token);
<p>In shiro it is very important to note that a remembered subject is not an
authenticated subject. A check against <code>isAuthenticated()</code> is a much
more strict check because authentication is the process of proving you are who
you say you are. When a user is only remembered, the remembered identity gives
the system an idea who that user probably is, but in reality, has no way of
absolutely guaranteeing if the remembered Subject represents the user currently
using the application. Once the subject is authenticated, they are no longer
considered only remembered because their identity would have been verified
during the current session.</p>
<p>So although many parts of the application can still perform user-specific
logic based on the remembered principals, such as customized views, it should
never perform highly-sensitive operations until the user has legitimately
verified their identity by executing a successful authentication attempt.</p>
<p>For example, a check to see if a subject can access financial information
should almost always depend on <code>isAuthenticated()</code>, not
<code>isRemembered()</code>, to guarantee a verified identity.</p>
-<p>He is a scenario to help illustrate why the the distinction between
isAuthenticated and isRemembered is important.</p>
+<p>Here is a scenario to help illustrate why the the distinction between
isAuthenticated and isRemembered is important.</p>
<p>Let’s say you’re using Amazon.com. You log in and you add some
books to your shopping cart. A day goes by. Of course your user session has
expired and you’ve been logged out. But Amazon “remembers”
you, greets you by name, and is still giving you personalized book
recommendations. To Amazon, <code>isRemembered()</code> would return
<code>TRUE</code>. What happens if you try to use one of the credit cards on
file or change your account information? While Amazon “remembers”
you, <code>isRemembered() = TRUE</code>, it is not certain that you are in fact
you, <code>isAuthenticated()=FALSE</code>. So before you can perform a
sensitive action Amazon needs to verify your identity by forcing an
authentication process which it does through a login screen. After the login,
your identity has been verified and <code>isAuthenticated()=TRUE</code>.</p>
<p>This scenario happens very often over the web so the functionality is built
into Shiro helping you easily make the distinction yourself.</p>
<a name="JavaAuthenticationGuide-LoggingOut"></a>
