Nope, no security issues. Note that principals are serialized as cookies for RememberMe by default, but they are encrypted using AES encryption before being sent to the browser (again this is by default. This can be turned off of course if your principal(s) don't constitute sensitive information for example).
The technique you described is exactly what I do for my apps - I store the ID (and the ID only) as a principal, and then use that to look up anything else I might need (relying on caching at the data tier to ensure regular lookups for miscellaneous info doesn't hurt performance) Cheers, Les On Wed, Mar 13, 2013 at 2:22 PM, Nolan Darilek <[email protected]> wrote: > Cool, thanks. I wasn't sure if there were potential security issues from, > say, using a MongoDB ObjectId as the primary principal. Even though users > log in via email addresses, and those should be unique, other records > reference subjects via their ID, and it simplifies things to just put > subject.getPrincipal into the field rather than doing another query for the > ID. > > Thanks. > > > > On 03/13/2013 02:27 PM, Les Hazlewood wrote: >> >> Hi Nolan, >> >> Shiro considers a principal to be any identifying attribute that you >> wish to have accessible in a Subject instance. So yes, username and >> email are principals, but so are first and last names. Any Realm that >> populates a PrincipalCollection contributes to the Subject's total >> principals (i.e. subject.getPrincipals()), and they can be whatever >> you want. >> >> Shiro also expects that at least one of the principals is an >> application unique identifier - usually a username, email address or >> datastore primary key (long, UUID, etc). Shiro calls this the >> 'primary principal' (subject.getPrincipal() === >> subject.getPrincipals().getPrimaryPrincipal()). >> >> Once a Subject has authenticated, Shiro's internals only really make >> use of the primary principal for its own needs. Any other principal >> is purely there for your own needs should you wish to use them. >> >> I, for example, don't use any additional principals in my >> applications. I populate and use only the primary principal to look >> up a cached version of my data store's User object and then reference >> further properties on that object. Which approach you use is up to >> you. >> >> HTH, >> >> -- >> Les Hazlewood | @lhazlewood >> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 >> >> On Wed, Mar 13, 2013 at 10:47 AM, Nolan Darilek <[email protected]> >> wrote: >>> >>> I'm fairly new to Shiro, and to thinking about security in terms of >>> principals/tokens/credentials rather than just as username/password. >>> >>> Out of curiosity, is there some best practice for what components of a >>> user's identity should be principals? >>> >>> Obviously username/email address should be a principal. What about first >>> and >>> last names? >>> >>> What about the ID of a user's row/document in a database? They're not >>> necessarily logging in using that, nor is it being displayed, but if I >>> made >>> a user's ID their primary principal, my design would simplify some. Is >>> this >>> bad practice or does it matter? >>> >>> Thanks. > >
