Hi Miguel, Authentication is the act of proving an identity. If you don't require proof of their identity, then the user won't, by definition, be authenticated. What if that email was viewed and clicked by someone other than the user who registered? This is very possible and happens more than you might think, especially with spambot systems.
Suggestion # 1: The way I've solved this myself is to actually perform a login on the user's behalf when they click that link. How do I do that? When they're registering on the site at first, they enter in an email address and password. I'll store that password (encrypted of course) in their session. When they click on the link, assuming that they do so during the same session as when they signed up (which is the large majority of cases), then I automatically call subject.login with the values stored in the session. If they click the link after their session has expired, they're forced to log-in to the site, performing a real authentication. This paradigm is much more secure than automatically assuming a user is authenticated without requiring their credentials. Suggestion # 2: If you don't like #1, you could easily create something like a RegistrationKeyLoginToken - maybe a subclass of UsernamePasswordToken that also retains a secret key that is obtained from the HTTP request (usually a URL parameter). When the user access that URL, you transparently call subject.login with that Token instance with the secret key. When your Realm implementation receives the token in your doGetAuthenticationInfo implementation, you can see if it is the RegistrationKeyLoginToken and then check to see if the tokens match. If so, just return the AuthenticationInfo as if they had logged in with a password. If the token is not a RegistrationKeyLoginToken, perform the lookup based on username/password as normal. I personally would never use # 2 as I don't trust unencrypted email as a secure enough mechanism to auto-login my user. It's up to you though depending on your needs :) HTH, Les On Fri, Feb 5, 2010 at 1:52 PM, mcohnen <[email protected]> wrote: > > Hi! > > I'm using the shiro plugin with grails and I'm wondering if it's possible to > perform a login (authentication) without knowing an user's password. I want > to do that, so that when the user clicks on his confirmation email, I can > automatically login him if the confirmation was successful. > > Any ideas about this? > > Thank you! > -- > View this message in context: > http://n2.nabble.com/Authenticating-without-knowing-user-s-password-Is-it-possible-tp4521499p4521499.html > Sent from the Shiro User mailing list archive at Nabble.com. >
