You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Glen McCoy <gl...@givemeinspiration.co.uk> on 2015/01/13 04:59:19 UTC

Customising rememberMe functionality to auto-authenticate

Hi

I am building a webapp for a customer that is essentially a facade for
another system. the app has a custom realm that authenticates against the
back end.

Initial login works great, authenticating correctly against my realm.

The problem I have now is with rememberMe after session timeout. I have read
and understood the whole "remembered vs authenticated" argument and agree
with the distinction (the Amazon example really helped). My issue is that
the users MUST be authenticated to do anything within the app and my
customer insists that they want rememberMe functionality without clogging
the server with eternal sessions. I have tried to explain the implications,
but they are insistent.


As I see it, I can implement this in a couple of ways:
 * on authentication with rememberMe, set an additional encrypted cookie
containing the user's username/password
 * save encrypted credentials in a server-side safe to reauthenticate as
required

I am not totally comfortable with either of these as I would prefer not to
handle password storage. However, if I were to continue down this line, how
could I recover these credentials if "isAuthenticated() == false"?

After playing around a bit, I have overridden
FormAuthenticationFilter.isAccessAllowed(). Here is my code:


@Override
protected boolean isAccessAllowed(ServletRequest request,
		ServletResponse response, Object mappedValue) {
        if (super.isAccessAllowed()) {
                return true;
        }

        SecureCookie sc = getSecureCookie(); // custom class that decrypts
and loads values

        if (sc != null) {
                
                UsernamePasswordToken token =
(UsernamePasswordToken)createToken(request, response);

                token.setUsername(sc.getUsername());
                token.setPassword(sc.getPassword();
                token.setRememberMe(true);

                Subject currentUser = SecurityUtils.getSubject();
                currentUser.login(token);
        }

   return isAccessAllowed = super.isAccessAllowed(request, response,
mappedValue);
}


I guess if I went this way, i would also have to extend LogoutFilter to
delete the SecureCookie, right?

This *appears* to work, but I am not sure if this is the right place to do
it. I saw an old thread from 2011
(http://shiro-user.582556.n2.nabble.com/RememberMe-implementation-td6201635.html#a6209045)
that suggested subclassing CookieRememberMeManager and overriding
getRememberedPrincipals(). Would it be better to do this here? I guess it
would mean storing the password as a Principal, create token and call
Subject.login(token) as above. Am I on the right track?



Is there a better way?

Thanks for your help.

Glen




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Customising-rememberMe-functionality-to-auto-authenticate-tp7580403.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Customising rememberMe functionality to auto-authenticate

Posted by douglas_om <do...@yahoo.com.br>.

Do they really need to be authenticated or remembered is good enough? It
seems you're not really taking advantage of the remember me feature so far.

As explained  here:

http://grails.1312388.n4.nabble.com/grails-shiro-plugin-remember-me-does-not-work-as-I-expect-td1340662.html

...to avoid forcing authentication (and accepting the remembered user
actions), add "auth: false" as an argument to the accessControl call:

accessControl(auth: false)



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Customising-rememberMe-functionality-to-auto-authenticate-tp7580403p7580423.html
Sent from the Shiro User mailing list archive at Nabble.com.