Not sure where to talk about the proposed feature. JIRA Ticket? Mailing list or GitHub issue/pull request?
Anyways here is the link to the implementation: https://github.com/raupachz/shiro/tree/dbcookies <https://github.com/raupachz/shiro/tree/dbcookies> The class is called DatabaseRememberMeCookieManager.java This is more or less a simple proof of concept, so we have something to talk about.I am also not very familiar with the internals of Shiro and the terminology. So please correct me. DatabaseRememberMeCookieManager inherits RememberMeCookieManager. I have overriden the methods: getRememberedPrincipals(SubjectContext) and rememberIdentity(Subject, PrincipalCollection). getRememberedPrincipals retrieves the cookie value. rememberIdentity generates a random, non guessable nonce instead of the encrypted, serialized PrincipalCollection. Not sure what to call this value, I just went with nonce. This nonce and all the principals of the collection are written to a debase with jdbc. getRememberedPrincipals reads the nonce from the cookie, if available, and retrieves the matching principals from the database. The smoke tests do work :) Open issues: * Not sure how to get the proper realm name in getRememberedPrincipals. See the placeholder: “whatever" in the constructor of PrincipalCollection * A nonce can have multiple principals and every principal can have multiple nonces. The m:n relationship with nonces probably needs three tables. A select with joins would make a very long single line in shiro.ini. Would work, but it is not nice. The insert is even more complicated. Maybe it is better to not use shiro.ini in that case and let the user override some abstract method to load and store the principals. For example abstract loadPrincipals in DatabaseRememberMeCookieManager. Hoping for a good discussion on this :) Sorry if this message came several times. I keep forgetting what email address I use on different mailing lists. /Björn > On 10. Jan 2018, at 16:56, Rob Young <bobbot...@gmail.com> wrote: > > I'd be interested to see this in action, I'd be happy to check out what you > get up to! > > On Wed, Jan 10, 2018 at 10:25 AM, Brian Demers <brian.dem...@gmail.com > <mailto:brian.dem...@gmail.com>> wrote: > Probably an override, you will still need to add the cookie, so you should be > able to override just what you need. > > >> >> Keep us posted! > > Since we need this feature I can dedicate company time on this matter. Will > work on this in my repo and open a pull request once I have something figured > out. Might need some help troubleshooting. > > Cool! > > > > -- > Rob Young > robertjohnyo...@gmail.com <mailto:robertjohnyo...@gmail.com> >
