Hi Juan,
A Subject is like a 'view' of your application's User or Account
object(s), not really a wrapper for them. The Subject's principals
are typically supposed to be identifying attributes of a user/account
- usernames, user IDs, etc. - and not your application's actual User
object directly. Also in webapps, the principals and other Subject
state is usually stored in the Session. For scalability reasons, you
want your Sessions to be as lightweight as possible - storing just IDs
or 'pointers' to the real data that you want to look up during a
request. You typically don't want to store the entire User object for
a lot of reasons:
When Shiro remembers a Subject, it uses (by default) JDK serialization
to convert the Subject's principals (the identity to remember) into a
byte array. That byte array is encrypted and then Base 64 encoded.
The final Base 64 encoded String is stored as the rememberMe cookie
value.
So, the problem with RememberMe could be due to one of two reasons
that I can see:
1) Your User object does not serialize properly, or more likely:
2) The serialized Base64-encoded value to store in the cookie is so
large, that the browser ignores or truncates the cookie value. 4K is
the standard max size most browsers will support. But believe me, if
you're sending 4k with every request in just the cookie field, your
system won't scale well at all. You'll see performance problems.
So, for efficient systems 1) keep your session very lightweight and 2)
ensure the principals you give to Shiro are as lightweight and minimal
as possible.
In all systems I write, I give Shiro only the application-wide unique
ID - usually a RDBMS primary key or cache lookup key. Then, for each
request, I get the ID from Shiro (subject.getPrincipal()) and lookup
the 'real' User object from the data store. In web-pages, you can
typically pass the User object in the page's model and reference it
from within the page directly (${model.user.username} or whatever).
Finally, one last suggestion when creating your SimpleAccount: use the
'getName()' method of the Realm so you don't have to hard-code the
value in code:
account = new SimpleAccount(userId,
authenticationInfo.getCrednentials(), getName()).
I hope that helps!
Best,
Les
On Mon, Mar 29, 2010 at 3:16 AM, Juan Solo <[email protected]> wrote:
>
> Hi,
>
> I'm extending ActiveDirectoryRealm to check if there is also a user withe
> the given username in my DB. I have to override doGetAuthenticationInfo in
> the Realm to do it. Everything is fine except that "remember me" doesn't
> work. I have the following last two lines of code:
>
> account = new SimpleAccount(user, authenticationInfo.getCredentials() ,
> "CustomActiveDirectoryRealm")
> return account
>
> Where user is an object from my domain, which gives me information like the
> full name, id, etc. Although this code works, "remembe me" doesn't:
> everytime I close the browser I have to authenticate again. However, if I
> create the SimpleAccount with a String username instead of the object user,
> everything works fine, including "remember me". But I really need to use an
> object and keep there all the information about the user (ej:
> <shiro:principal property="fullName" />).
> Does anyone know why this happend? Am I doing something wrong or skipping
> something? Any workaround?
>
> - Using Groovy/Grails -
>
> Thanks,
>
> Juan Solo
> --
> View this message in context:
> http://n2.nabble.com/Remember-me-problems-with-object-in-SimpleAccount-tp4817122p4817122.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
