Hello, I am loving the simplicity and the great code-level documentation that Shiro provides. Turning on the "remember me" feature just worked! But now that I am switching from a one realm implementation to another I am finding that the remember me feature is posing a problem.
>From what I can tell, Shiro trusts the remember me cookie as long as it can be decrypted and deserialized without error. But what if the realm in my application has changed such that those remembered principals are no longer valid? Specifically, my realm started out by using a simple String as the principal, but in a new version of my app it has changed to using a complex type, MyAppPrincipal. The remembered PrincipalCollection deserialized from the cookie doesn't have this -- it has the old String value. I can't find a simple hook in Shiro that allows the remembered principals to be validated. Specifically, if my code is annotated with @RequiresUser, this check passes as long as the subject has any non-null principal, even if that principal is considered unacceptable by my new realm. Does that make sense? Essentially what I'm hoping Shiro could do is: 1. When deserializing the remembered principal check whether the realm name in the remembered principal matches one of the realms currently configured in the app. If there is no matching realm, the remembered principal is considered invalid and the cookie destroyed. 2. Perhaps in addition, provide a hook in the Authenticator interface (?) where remembered principals can be validated, like: boolean isRememberedPrincipalsValid(PrincipalCollection). What do you think? Or is there already a simple solution to this that I'm missing? :) -- Matt -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-deal-with-remembered-principals-if-realm-has-since-changed-tp6009937p6009937.html Sent from the Shiro User mailing list archive at Nabble.com.
