Hi JJ,
I had to do something similar where I supported login by a user going to
a secret URL (yes, this is bad, but legacy support). I ended up writing
my own Realm and overridding getAuthenitcationTokenClass() and
doGetAuthenticationInfo(AuthenticationToken).
I also had to create my on AuthenticationToken to hold the pieces that I
needed to perform authentication. You may or may not need that step.
My Realm builds a SimpleAuthenticationInfo and uses the secret URL as a
credential.
Hopefully that gets you pointed in the right direction.
Sincerely,
Stephen McCants
On 8/21/2013 7:31 AM, Stuart Broad wrote:
Hi JJ,
You could store the session id in a cookie but if that still does not
work for you may need to create your own custom realm. e.g.
(1) User creates an account
(2) User confirms the account
(3) User accesses application - At this point you create some custom
token (e.g. containing username and maybe something else like ip address)
(4) Your custom realm accepts this token and checks the db to see if
the this is the first time logging in. If the first time then log in
succeeds.
The above does not feel very secure though..
Oh just thought I should mention apache shiro does come with a
'remember me' option that might help (the user would be remembered but
not authenticated). But again for this you might need a session id
(not sure).
Cheers,
Stu
p.s. I'm not an expert on this (just started using it myself)
On Wed, Aug 21, 2013 at 1:21 PM, crnobog <[email protected]
<mailto:[email protected]>> wrote:
This is a nice idea but it won't work for me as the user has two
days to
confirm his acc. Who knows what all could happen in this time.
Any other ideas?
best regards.
JJ
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Programmatic-login-tp7579055p7579057.html
Sent from the Shiro User mailing list archive at Nabble.com.
--
Stephen McCants
Senior Software Engineer
Healthcare Control Systems
1-877-877-8795 x116
