This is really an end-user decision, based on how they write their application.
JSecurity only requires authentication if the end-user requires it, i.e. if they use <jsec:authenticated> tag lib or the authc filter for a url. So, if they configure either of those, JSecurity will enforce it. The key is that authentication by definition is the verification of a user's identity. If you auto-login a user, you're not verifying their identity, thus it cannot be called authentication. We can call that auto-login if we like, but it is most definitely not authentication ;) Remember Me is supposed to address this - it is essentially auto-login. So, ultimately, if they don't want to force a user to authenticate if they're not already authenticated, they shouldn't use the <jsec:authenticated> tag or authc filter. They should use the <jsec:remembered> and remembered filters instead. Does that help? On Fri, Jul 18, 2008 at 12:26 PM, Peter Ledbrook <[EMAIL PROTECTED]> wrote: > Hi, > > I've just been asked this on the Grails mailing list: > > I am using the jsec plugin, but I dont want my users to have to > authenticate every time - I want if they check the remember me > checkbox to "auto-login" the user next time they come to the site for > say 2 weeks (which is a common way sites around the web do signing in) > - how can I do that with jsecurity? > > What's the preferred way of doing this? Is it possible? > > Thanks, > > Peter >
