Thanks Les, for your thoughtful reply.
I agree overriding AbstractRememberMeManager.deserialize(byte[]) is the easiest
solution for the upgrade problem. I can provide whatever logic is necessary
there to validate the principals.
But perhaps this issue that I raised is more of a symptom of a fundamental
issue with the @RequiresUser check. Outdated principals cause a problem with
@RequiresUser because by simply checking subject.getPrincipal() != null is not
sufficient.
Consider if instead of @RequiresUser I use @RequiresRoles("user"), with the
understanding that "user" is a role all users have. Now the remember me issue
is no longer a problem, because my realm's doGetAuthorizationInfo() will see
the principal is outdated/bogus and appropriately reject access for
@RequiresRoles("user").
Furthermore consider the case where a user's account has become locked:
@RequiresUser will still let the user in, because the realm is never consulted,
whereas @RequiresRoles("user") would allow the realm to check account locked
status in doGetAuthorizationInfo().
Ultimately I think what I've learned from this is that @RequiresUser (or it's
procedural equivalent of subject.getPrincipal() != null) should probably be
avoided.
--
Matt
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-to-deal-with-remembered-principals-if-realm-has-since-changed-tp6009937p6010245.html
Sent from the Shiro User mailing list archive at Nabble.com.
