Hi Benny, This is not a bug. In the sample web app, the account page is protected by the 'authc' filter. In order to access any path protected by the authc filter, the user must be AUTHentiCated. RememberMe does _not_ constitute authentication.
Please see the Subject#isRemembered() JavaDoc for why this distinction exists. Now, when writing your own webapp, whether you use the authc filter or simply depend on if the user is remembered is entirely up to you. The sample web app was showing how to protect access to resources that must guarantee an authenticated users (for example, when showing credit card numbers or home addresses, etc). HTH, Les On Sun, Sep 5, 2010 at 11:50 PM, slott <[email protected]> wrote: > > In my Shirofied app and indeed also the QuickStart app, the RememberMe > functionality is not working as expected (i.e. possibly a bug). > > Try logging in with, for example root in the quickstart app and tick the > remember-me box. It'll say Hi Root! on the homepage, and you can visit the > account page. Great. > > Now, restart the server (jetty or whatever) and try access that same account > page again. You will be directed to the login.jsp page. That can't be right? > The app should remember the user and let them in to the secure account area. > > The cookie is read just fine however, as can be seen if you go to the home > page. See, it says Hi root! on the page, which proves that > <shiro:user><shiro:principal/></shiro:user> is used. > > My own app prints the following debug messages: > 16:16:42.023 [17243...@qtp-21323983-0] DEBUG > o.a.shiro.web.servlet.SimpleCookie - Found string value [longStringHere] > from Cookie [rememberMe] > 16:16:42.352 [17243...@qtp-21323983-0] DEBUG > o.a.shiro.mgt.DefaultSecurityManager - Found remembered PrincipalCollection. > Adding to the context to be used for subject construction by the > SubjectFactory. > 16:16:42.357 [17243...@qtp-21323983-0] DEBUG > o.a.shiro.mgt.DefaultSecurityManager - Created session with id > mkv7y3m6rwunxjvln6pr99qg to retain discovered principals bhj > > Still, just like the quickstart app, Shiro won't let the user into authc > protected area without logging in again > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/RememberMe-not-granting-access-to-secure-area-tp5502220p5502220.html > Sent from the Shiro User mailing list archive at Nabble.com. >
