You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2016/11/22 15:07:30 UTC
svn commit: r1770852 - /shiro/site/publish/java-authentication-guide.html
Author: bdemers
Date: Tue Nov 22 15:07:30 2016
New Revision: 1770852
URL: http://svn.apache.org/viewvc?rev=1770852&view=rev
Log:
Update java-authentication-guide.md.vtl
Modified:
shiro/site/publish/java-authentication-guide.html
Modified: shiro/site/publish/java-authentication-guide.html
URL: http://svn.apache.org/viewvc/shiro/site/publish/java-authentication-guide.html?rev=1770852&r1=1770851&r2=1770852&view=diff
==============================================================================
--- shiro/site/publish/java-authentication-guide.html (original)
+++ shiro/site/publish/java-authentication-guide.html Tue Nov 22 15:07:30 2016
@@ -316,7 +316,7 @@ currentUser.login(token);
<p>In shiro it is very important to note that a remembered subject is not an authenticated subject. A check against <code>isAuthenticated()</code> is a much more strict check because authentication is the process of proving you are who you say you are. When a user is only remembered, the remembered identity gives the system an idea who that user probably is, but in reality, has no way of absolutely guaranteeing if the remembered Subject represents the user currently using the application. Once the subject is authenticated, they are no longer considered only remembered because their identity would have been verified during the current session.</p>
<p>So although many parts of the application can still perform user-specific logic based on the remembered principals, such as customized views, it should never perform highly-sensitive operations until the user has legitimately verified their identity by executing a successful authentication attempt.</p>
<p>For example, a check to see if a subject can access financial information should almost always depend on <code>isAuthenticated()</code>, not <code>isRemembered()</code>, to guarantee a verified identity.</p>
-<p>He is a scenario to help illustrate why the the distinction between isAuthenticated and isRemembered is important.</p>
+<p>Here is a scenario to help illustrate why the the distinction between isAuthenticated and isRemembered is important.</p>
<p>Let’s say you’re using Amazon.com. You log in and you add some books to your shopping cart. A day goes by. Of course your user session has expired and you’ve been logged out. But Amazon “remembers” you, greets you by name, and is still giving you personalized book recommendations. To Amazon, <code>isRemembered()</code> would return <code>TRUE</code>. What happens if you try to use one of the credit cards on file or change your account information? While Amazon “remembers” you, <code>isRemembered() = TRUE</code>, it is not certain that you are in fact you, <code>isAuthenticated()=FALSE</code>. So before you can perform a sensitive action Amazon needs to verify your identity by forcing an authentication process which it does through a login screen. After the login, your identity has been verified and <code>isAuthenticated()=TRUE</code>.</p>
<p>This scenario happens very often over the web so the functionality is built into Shiro helping you easily make the distinction yourself.</p>
<a name="JavaAuthenticationGuide-LoggingOut"></a>