Yes, this is a Shiro conscious decision. Basically, if the Subject is permitted or is in a role, Subject should have access to a resources. authenticated vs. remembered shouldn't be a factor unless you are doing something like changing a password, email address, personal information, etc. (security-critical interation)
On May 26, 2015, at 11:11 AM, tanvir wrote: > Hi scSynergy, > Thanks a bunch for your reply. I have got the SSO Login and Remember Me > feature to work properly together. However I have noticed that after logging > in using one application, when I browse to another application, it lets be > browse its pages as a Rememebered User and not an Authenticated user. Is > this a conscious decision from shiro? > > How can I set the user's state as Authenticated when the SSO cookie's > creation time is within the session MaxTime from current time? Or does Shiro > prefer the user to log in again even if he just recently used the SSO login > feature from another webapp. > > Thanks again! > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Trouble-implementing-Single-Sign-On-SSO-Cookie-with-Remember-Me-tp7580550p7580553.html > Sent from the Shiro User mailing list archive at Nabble.com. >
