Why is is so important for you to have remember me functionality available across different applications (in your case new version) ... If you ask me there's no need for that in real world .. if application changed, then users should relogin .. but if they forgot their passwords, then it's your application job to give them "Forgot password" feature.
I personally think your kind of feature is a potential security risk in a matter when you implement you "remember me (from old application) strategy" in a new application and someone else gets the code from old application (this happens in real world), he can always hack into your system creating remember me cookies with an old application and login to new one ... Specially when your old application has a really simple principal ... Regards Armando On Thu, Feb 10, 2011 at 12:05 AM, mbrictson [via Shiro User] < [email protected]> wrote: > Hello, > > I am loving the simplicity and the great code-level documentation that > Shiro provides. Turning on the "remember me" feature just worked! But now > that I am switching from a one realm implementation to another I am finding > that the remember me feature is posing a problem. > > From what I can tell, Shiro trusts the remember me cookie as long as it can > be decrypted and deserialized without error. But what if the realm in my > application has changed such that those remembered principals are no longer > valid? > > Specifically, my realm started out by using a simple String as the > principal, but in a new version of my app it has changed to using a complex > type, MyAppPrincipal. The remembered PrincipalCollection deserialized from > the cookie doesn't have this -- it has the old String value. > > I can't find a simple hook in Shiro that allows the remembered principals > to be validated. Specifically, if my code is annotated with @RequiresUser, > this check passes as long as the subject has any non-null principal, even if > that principal is considered unacceptable by my new realm. > > Does that make sense? > > Essentially what I'm hoping Shiro could do is: > > 1. When deserializing the remembered principal check whether the realm name > in the remembered principal matches one of the realms currently configured > in the app. If there is no matching realm, the remembered principal is > considered invalid and the cookie destroyed. > > 2. Perhaps in addition, provide a hook in the Authenticator interface (?) > where remembered principals can be validated, like: boolean > isRememberedPrincipalsValid(PrincipalCollection). > > What do you think? > > Or is there already a simple solution to this that I'm missing? :) > > -- > Matt > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://shiro-user.582556.n2.nabble.com/How-to-deal-with-remembered-principals-if-realm-has-since-changed-tp6009937p6009937.html > To start a new topic under Shiro User, email > [email protected] > To unsubscribe from Shiro User, click > here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=YXJtYW5kby5vdGFAZHJvcGNob3AuY29tfDU4MjU1Nnw0NjA2NDQ4NTQ=>. > > -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-deal-with-remembered-principals-if-realm-has-since-changed-tp6009937p6010615.html Sent from the Shiro User mailing list archive at Nabble.com.
