Hi Richard, Your approach is fine if clients expect to login again when you restart your app - this is perfectly fine for many types of applications. The rotating key approach is ideal if you don't want clients to experience any interruption, but as you've already pointed out, requires more engineering effort. You've pretty much covered both approaches (and yes, getInstance() is a reasonable way to do this).
That's the only default key you would change - Shiro doesn't use default keys anywhere else. Sounds like you have things covered! Cheers, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Tue, Aug 27, 2013 at 12:56 PM, [email protected] <[email protected] > wrote: > Hi. > > Right now I am using the default AES key for the RememberMe token, > described > here: > > https://shiro.apache.org/static/current/apidocs/org/apache/shiro/mgt/AbstractRememberMeManager.html > < > https://shiro.apache.org/static/current/apidocs/org/apache/shiro/mgt/AbstractRememberMeManager.html > > > > We consider the username to be sensitive information, however, so I want to > avoid using the default, and read about one technique for doing so here: > > http://balusc.blogspot.sg/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#RememberMe > < > http://balusc.blogspot.sg/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#RememberMe > > > > I am thinking of using a randomized key, by generating a new random key > each > time the application starts. This would make old tokens unusable at each > restart, but that should be rare enough not to cause much inconvenience. > (I > suppose I could also store the keys somewhere secure and rotate then at > appropriate time intervals to reduce the inconvenience, but that adds a lot > of unnecessary complexity for our purpose.) The simplest way I have > thought > of doing this is by just having the getInstance() method of a class return > a > new random key, and loading it via shiro.ini: > > > Is there a simpler or better way of doing this? Are there any problems to > watch out for? > > Also, are there any other default keys in Shiro that I should maybe pay > attention to? > > Thanks. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Randomized-key-for-RememberMe-token-tp7579078.html > Sent from the Shiro User mailing list archive at Nabble.com. >
