shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1770852 - /shiro/site/publish/java-authentication-guide.html
Date Tue, 22 Nov 2016 15:07:30 GMT
Author: bdemers
Date: Tue Nov 22 15:07:30 2016
New Revision: 1770852



Modified: shiro/site/publish/java-authentication-guide.html
--- shiro/site/publish/java-authentication-guide.html (original)
+++ shiro/site/publish/java-authentication-guide.html Tue Nov 22 15:07:30 2016
@@ -316,7 +316,7 @@ currentUser.login(token);
 <p>In shiro it is very important to note that a remembered subject is not an authenticated
subject. A check against <code>isAuthenticated()</code> is a much more strict
check because authentication is the process of proving you are who you say you are. When a
user is only remembered, the remembered identity gives the system an idea who that user probably
is, but in reality, has no way of absolutely guaranteeing if the remembered Subject represents
the user currently using the application. Once the subject is authenticated, they are no longer
considered only remembered because their identity would have been verified during the current
 <p>So although many parts of the application can still perform user-specific logic
based on the remembered principals, such as customized views, it should never perform highly-sensitive
operations until the user has legitimately verified their identity by executing a successful
authentication attempt.</p>
 <p>For example, a check to see if a subject can access financial information should
almost always depend on <code>isAuthenticated()</code>, not <code>isRemembered()</code>,
to guarantee a verified identity.</p>
-<p>He is a scenario to help illustrate why the the distinction between isAuthenticated
and isRemembered is important.</p>
+<p>Here is a scenario to help illustrate why the the distinction between isAuthenticated
and isRemembered is important.</p>
 <p>Let&rsquo;s say you&rsquo;re using You log in and you add some
books to your shopping cart. A day goes by. Of course your user session has expired and you&rsquo;ve
been logged out. But Amazon &ldquo;remembers&rdquo; you, greets you by name, and is
still giving you personalized book recommendations. To Amazon, <code>isRemembered()</code>
would return <code>TRUE</code>. What happens if you try to use one of the credit
cards on file or change your account information? While Amazon &ldquo;remembers&rdquo;
you, <code>isRemembered() = TRUE</code>, it is not certain that you are in fact
you, <code>isAuthenticated()=FALSE</code>. So before you can perform a sensitive
action Amazon needs to verify your identity by forcing an authentication process which it
does through a login screen. After the login, your identity has been verified and <code>isAuthenticated()=TRUE</code>.</p>
 <p>This scenario happens very often over the web so the functionality is built into
Shiro helping you easily make the distinction yourself.</p>
 <a name="JavaAuthenticationGuide-LoggingOut"></a>

View raw message