Shiro makes this artificial, strong separation between rememberme and authentication. In the javadocs for RememberMeAuthenticationToken (http://jsecurity.org/api/org/jsecurity/authc/RememberMeAuthenticationToken.html) it is said that "Authentication is the process of proving you are who you say you are". It is stated that rememberme is not considered an authentication and implied that only using username/password can be used for an "actual authentication". However, in practice there's no way to know that whoever supplied the password is who they say they are and passwords are generally not considered the strongest form of authentication. Shiro's default rememberme implementation results in no or very weak authentication, but there are alternatives that results in stronger form of key-based authentication. Private/public keys are often considered equally strong authentication to username/password and for remember me, using rolling tokens (as described for example at http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/) makes remembering the identity a much more secure process.
I've implemented rolling token-based remember cookies with Acegi in the past, and now I'd like to do the same with Shiro. Considering the view Shiro takes to rememberme, I wonder if it would make more sense to implement a custom RememberMeManager or a custom authentication filter for it. Current implementation doesn't allow you to authorize the principal for anything when rememberMe is used, but I might like to grant weaker roles to user that has been identified/authenticated with a rolling token. I didn't find any built-in support for this type of authentication so I'd also be interested in reviewing and possibly reusing any existing code if somebody has already implemented something like what I have in mind. Kalle
