On Thu, Jul 21, 2011 at 12:03 PM, leafknode <[email protected]> wrote: > I'm building a simple Spring app and I'd like to use Apache Shiro for my > security implementation. I've configured AS via Spring successfully and > everything seems to be running OK but I just can't seem to get the remember > me feature working. > > My first question is: > > Is the Remember Me feature supposed to automatically login users that have > selected to be remembered? Presumably "yes" but I wanted to confirm.
I'm glad you confirmed :) This is definitely not the case, and any security framework that does this doesn't understand the meaning of authentication. In Shiro, Remembered != Authenticated, for very real security reasons. This is covered in the documentation here: http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated Now, if your particular security requirements don't care about the distinction between remembered vs authenticated, and you just want to know if the current Subject is a known user for example, you can control flow (or UI behavior) based on the fact that the subject has an identity or not (i.e. subject.getPrincipal() != null). The Shiro web JSP tags also support this via the <shiro:user> tag, where a 'user' is a Subject that has an identity - subject.getPrincipal() != null - indicating that they have at least authenticated either during the current session or at least in some previous session before. Beyond subject.getPrincipal() != null, the remembered/authenticated states indicate _how_ we came to know about the user's identity, which is often necessary in many security scenarios (e.g. the Amazon.com example in the linked documentation is a good solid example). HTH, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
