Cool, thanks. I wasn't sure if there were potential security issues
from, say, using a MongoDB ObjectId as the primary principal. Even
though users log in via email addresses, and those should be unique,
other records reference subjects via their ID, and it simplifies things
to just put subject.getPrincipal into the field rather than doing
another query for the ID.
Thanks.
On 03/13/2013 02:27 PM, Les Hazlewood wrote:
Hi Nolan,
Shiro considers a principal to be any identifying attribute that you
wish to have accessible in a Subject instance. So yes, username and
email are principals, but so are first and last names. Any Realm that
populates a PrincipalCollection contributes to the Subject's total
principals (i.e. subject.getPrincipals()), and they can be whatever
you want.
Shiro also expects that at least one of the principals is an
application unique identifier - usually a username, email address or
datastore primary key (long, UUID, etc). Shiro calls this the
'primary principal' (subject.getPrincipal() ===
subject.getPrincipals().getPrimaryPrincipal()).
Once a Subject has authenticated, Shiro's internals only really make
use of the primary principal for its own needs. Any other principal
is purely there for your own needs should you wish to use them.
I, for example, don't use any additional principals in my
applications. I populate and use only the primary principal to look
up a cached version of my data store's User object and then reference
further properties on that object. Which approach you use is up to
you.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Wed, Mar 13, 2013 at 10:47 AM, Nolan Darilek <[email protected]> wrote:
I'm fairly new to Shiro, and to thinking about security in terms of
principals/tokens/credentials rather than just as username/password.
Out of curiosity, is there some best practice for what components of a
user's identity should be principals?
Obviously username/email address should be a principal. What about first and
last names?
What about the ID of a user's row/document in a database? They're not
necessarily logging in using that, nor is it being displayed, but if I made
a user's ID their primary principal, my design would simplify some. Is this
bad practice or does it matter?
Thanks.
