You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by leafknode <le...@gmail.com> on 2011/07/21 21:03:57 UTC
RememberMe Issues
I'm building a simple Spring app and I'd like to use Apache Shiro for my
security implementation. I've configured AS via Spring successfully and
everything seems to be running OK but I just can't seem to get the remember
me feature working.
My first question is:
Is the Remember Me feature supposed to automatically login users that have
selected to be remembered? Presumably "yes" but I wanted to confirm.
Under the assumption that the question above is "yes", I am not seeing the
automatic login take place when "rememberMe" is true. When I debug it, I
can verify that it does indeed obtain the correct principals for the
browser's session, but nowhere do I see it obtaining any serialized
credentials nor do I see it attempt an automated login.
I'm sure this is a misconfiguration or something on my end and I was hoping
the community could point me in the right direction. I have included some
snippets of code below for reference:
web.xml snippet:
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>RequestContextFilter</filter-name>
<filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>RequestContextFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Spring Dispatcher Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/myApp.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Spring Dispatcher Servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
Spring Shiro Config:
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login"/>
<property name="successUrl" value="/profile"/>
<property name="filterChainDefinitions">
<value>
/profile/** = authc
/** = anon
</value>
</property>
</bean>
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realmService"/>
</bean>
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean id="hashedCredentialsMatcher"
class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA-256"/>
<property name="hashIterations" value="1024"/>
<property name="storedCredentialsHexEncoded" value="false"/>
</bean>
<bean id="randomNumberGenerator"
class="org.apache.shiro.crypto.SecureRandomNumberGenerator"/>
RealmService snippet:
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {
UsernamePasswordToken thisToken = (UsernamePasswordToken)token;
String email = thisToken.getUsername();
try {
Account account = accountService.findByEmail(email);
SecurityPrincipal principal = new SecurityPrincipal(email);
String hashedCredentials = account.getEncryptedPassword();
byte[] salt = account.getPasswordSalt();
ByteSource credentialsSalt = securityService.convertSalt(salt);
return new SimpleAccount(principal, hashedCredentials,
credentialsSalt, getName());
} catch (NoResultException e) {
return null;
}
}
SecurityPrincipal snippet:
public class SecurityPrincipal implements Serializable {
public static final long serialVersionUID = 1950203249783644233L;
private String email;
public SecurityPrincipal(String email) {
this.email = email;
}
public String getEmail() {
return email;
}
}
SecurityService snippet:
@Override
public ByteSource convertSalt(byte[] salt) {
return new SimpleByteSource(salt);
}
--
View this message in context: http://shiro-user.582556.n2.nabble.com/RememberMe-Issues-tp6608110p6608110.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: RememberMe Issues
Posted by Les Hazlewood <lh...@apache.org>.
Glad to help!
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
Re: RememberMe Issues
Posted by leafknode <le...@gmail.com>.
Thanks for the timely response and for clarifying that for me Les.
Admittedly, I'm embarrassed that I missed that gem in the documentation ;)
--
View this message in context: http://shiro-user.582556.n2.nabble.com/RememberMe-Issues-tp6608110p6608311.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: RememberMe Issues
Posted by Les Hazlewood <lh...@apache.org>.
On Thu, Jul 21, 2011 at 12:03 PM, leafknode <le...@gmail.com> wrote:
> I'm building a simple Spring app and I'd like to use Apache Shiro for my
> security implementation. I've configured AS via Spring successfully and
> everything seems to be running OK but I just can't seem to get the remember
> me feature working.
>
> My first question is:
>
> Is the Remember Me feature supposed to automatically login users that have
> selected to be remembered? Presumably "yes" but I wanted to confirm.
I'm glad you confirmed :) This is definitely not the case, and any
security framework that does this doesn't understand the meaning of
authentication. In Shiro, Remembered != Authenticated, for very real
security reasons. This is covered in the documentation here:
http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated
Now, if your particular security requirements don't care about the
distinction between remembered vs authenticated, and you just want to
know if the current Subject is a known user for example, you can
control flow (or UI behavior) based on the fact that the subject has
an identity or not (i.e. subject.getPrincipal() != null). The Shiro
web JSP tags also support this via the <shiro:user> tag, where a
'user' is a Subject that has an identity - subject.getPrincipal() !=
null - indicating that they have at least authenticated either during
the current session or at least in some previous session before.
Beyond subject.getPrincipal() != null, the remembered/authenticated
states indicate _how_ we came to know about the user's identity, which
is often necessary in many security scenarios (e.g. the Amazon.com
example in the linked documentation is a good solid example).
HTH,
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
Re: RememberMe Issues
Posted by leafknode <le...@gmail.com>.
I posted this prior to my acceptance to the user group. Consequently, I'm
going to bump just in case it didn't get propagated to the user group list.
Sorry in the event this double posts.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/RememberMe-Issues-tp6608110p6608165.html
Sent from the Shiro User mailing list archive at Nabble.com.