I'm fairly new to Shiro, and to thinking about security in terms of
principals/tokens/credentials rather than just as username/password.
Out of curiosity, is there some best practice for what components of a
user's identity should be principals?
Obviously username/email address should be a principal. What about first
and last names?
What about the ID of a user's row/document in a database? They're not
necessarily logging in using that, nor is it being displayed, but if I
made a user's ID their primary principal, my design would simplify some.
Is this bad practice or does it matter?
Thanks.
- What is and isn't a principal? Nolan Darilek
-
