Looks like a good start, I left a comment on the nonce logic. My JDBC is a little rusty though (which oddly makes me smile) so I might not be the best person to look at that.
There is probably some logic we can bubble up I almost forgot about this, but I was messing around with a JWT remember me manager, a while back: https://github.com/bdemers/shiro/commit/31bbeff2b93f7ddcd2121aa30d69d9281e666981#diff-b7b4d173bb5d4b6d00aa3cecfa7cb861 If we create a encode/decode method that _should_ simplify your implementation. Thoughts? -Brian On Fri, Jan 26, 2018 at 8:10 AM, Björn Raupach <[email protected]> wrote: > Hi Brian, > > know you are busy. Could you give me some feedback on this? > > kind regards > Björn > > > On 12. Jan 2018, at 16:44, Björn Raupach <[email protected]> wrote: > > Not sure where to talk about the proposed feature. JIRA Ticket? Mailing > list or GitHub issue/pull request? > > Anyways here is the link to the implementation: https:// > github.com/raupachz/shiro/tree/dbcookies The class is called > DatabaseRememberMeCookieManager.java > > This is more or less a simple proof of concept, so we have something to > talk about.I am also not very familiar with the internals of Shiro and the > terminology. So please correct me. > > DatabaseRememberMeCookieManager inherits RememberMeCookieManager. I have > overriden the methods: getRememberedPrincipals(SubjectContext) and > rememberIdentity(Subject, PrincipalCollection). getRememberedPrincipals > retrieves the cookie value. rememberIdentity generates a random, non > guessable nonce instead of the encrypted, serialized PrincipalCollection. > Not sure what to call this value, I just went with nonce. This nonce and > all the principals of the collection are written to a debase with jdbc. > > getRememberedPrincipals reads the nonce from the cookie, if available, and > retrieves the matching principals from the database. > > The smoke tests do work :) > > Open issues: > > * Not sure how to get the proper realm name in getRememberedPrincipals. > See the placeholder: “whatever" in the constructor of PrincipalCollection > * A nonce can have multiple principals and every principal can have > multiple nonces. > > The m:n relationship with nonces probably needs three tables. A select > with joins would make a very long single line in shiro.ini. Would work, but > it is not nice. The insert is even more complicated. Maybe it is better to > not use shiro.ini in that case and let the user override some abstract > method to load and store the principals. For example abstract > loadPrincipals in DatabaseRememberMeCookieManager. > > Hoping for a good discussion on this :) > > Sorry if this message came several times. I keep forgetting what email > address I use on different mailing lists. > > /Björn > > On 10. Jan 2018, at 16:56, Rob Young <[email protected]> wrote: > > I'd be interested to see this in action, I'd be happy to check out what > you get up to! > > On Wed, Jan 10, 2018 at 10:25 AM, Brian Demers <[email protected]> > wrote: > >> Probably an override, you will still need to add the cookie, so you >> should be able to override just what you need. >> >> >> >>> Keep us posted! >>> >>> >>> Since we need this feature I can dedicate company time on this matter. >>> Will work on this in my repo and open a pull request once I have something >>> figured out. Might need some help troubleshooting. >>> >> >> Cool! >> > > > > -- > Rob Young > [email protected] > > > >
