So, this proved to be an interesting problem in debugging shiro.ini files. My original approach did not work because setting securityManager.rememberMeManager.cipherKey to a reference fails, with the reference being treated as an actual value. I did find a solution in extending the Remember Me Manager directly.
Since this might help others debug similar issues in the future, I will go into some details. First, here is a handy "debugger" that will print out reference vales in the shiro.ini file: Feel free to use a logger instead of System.out.println for output. Here is what did not work. In shiro.ini: The debugger correctly prints that the cipher key is a different random value each time, but securityManager.rememberMeManager.cipherKey uses the actual string "$cipherKey" as the key, which is not random at all. RandomKey2 is a simple Factory method to produce a byte[] array: I also tried a variation that produced a hex-encoded string, with the same result: After giving up on setting the key, I decided to set the Remember Me Manager itself, which does work. In shiro.ini: The code for the RandomRememberMeManager is actually even simpler than my first approach: I would suggest that Shiro include something like this in its next release, but I know Les has been too busy to get to the last patch I submitted. :) -- View this message in context: http://shiro-user.582556.n2.nabble.com/Randomized-key-for-RememberMe-token-tp7579078p7579118.html Sent from the Shiro User mailing list archive at Nabble.com.
