Whether or not you are using native sessions has no bearing on how you
check for authentication. They are logically orthogonal.
You check isAuthenticated if you want to see if a user has already
proven their identity during their current session - whether you use
native sessions or some other container-managed sessions is
irrelevant.
currentUser.isAuthenticated will return true if and only if the user
has proven their identity (a successful authentication attempt) during
their _current_ session. If true, the system can trust that the user
really is who they say they are (assuming your application's
authentication approach is itself reasonably secure).
You use it to protect access to things that are very important where
you must *guarantee* a user's identity. For example:
if ( subject.isAuthenticated() ) {
//show credit card information
} else {
//show them the login view so we can be sure
// it is really them and not, say, a friend
// using their computer
}
Contrast this with subject.getPrincipal() != null. This statement
only verifies that we have a good idea who the user is, either via a
current successful authentication OR via remember me. Remember Me
does not guarantee identity, so you shouldn't rely on it for sensitive
operations.
Check out the Subject isAuthenticated() and isRemembered() JavaDoc -
it explains these concepts in detail.
Regards,
Les
On Tue, Dec 22, 2009 at 9:31 AM, lev <[email protected]> wrote:
>
> Hi Les,
>
> Thanks for this quicky :-), I appreciate that.
>
>
> two short questions:
>
> 1) does it make sense calling "if (!currentUser.isAuthenticated()) " when
> using native sesison?
> 2) if "if (!currentUser.isAuthenticated()) " is always supposed to return
> false in case of native session or i am i missing somehting here?
>
> regards,
>
>
> Les Hazlewood-2 wrote:
>>
>> Shiro delegates authentication to your Realm implementation - your
>> implementation is the one that must be efficient/fast and that is
>> entirely dependent upon how you code it ;)
>>
>> On Tue, Dec 22, 2009 at 8:22 AM, lev <[email protected]> wrote:
>>>
>>> Hi,
>>>
>>> I have included shiro as our core IDm component in very big project.
>>>
>>> as project is very big so many componenet are invloved in a single user
>>> process.
>>>
>>> We are using shiro meantime just to autheticate(by username and password
>>> info).
>>>
>>> flow is like this
>>>
>>> user logs in UI module->GUI module asks for authetication through API
>>> gateway(ESB)->our web app->asks shiro to autheticate user(native session
>>> mode)
>>>
>>> my question/need is to make this authetication as fast as posisble:
>>>
>>> We are using :
>>>
>>> 1. spring remoting
>>> 3. Shiro
>>>
>>>
>>> Please do reply as this is becoming critical point for our project.
>>>
>>> regards,
>>> lev
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/We-need-fastest-authetication-tp4203510p4203510.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>
>>
>
> --
> View this message in context:
> http://n2.nabble.com/We-need-fastest-authetication-tp4203510p4203772.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
