JSecurity Remember Me

>> Otherwise how exactly does it work? Is it the filters which pass the user through if remember me  is used?
>
>The "remember me" feature means that a user can come back to your
>application and it will remember the user details. More specifically,
>"SecurityUtils.subject.principal" will return a non-null value, for
>example the username. So, you can display information relevant to that
>user. However, the access control won't allow the user through until
>he or she has authenticated, for example by entering a valid password.
>
>In other words, a user has three possible states: unrecognised
>(analogous to "guest"), remembered, and authenticated. If you want to
>take advantage of "remember me" easily, use the <jsec:user/> and
><jsec:principal/> tags, both of which will output stuff if the user is
>either remembered or authenticated.
>
>HTH,
>
>Peter
>
>--
>Software Engineer
>G2One, Inc.
>http://www.g2one.com/
>
>---------------------------------------------------------------------
>To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>
>

>> Otherwise how exactly does it work? Is it the filters which pass the user through if remember me  is used?
>>    
>
> The "remember me" feature means that a user can come back to your
> application and it will remember the user details. More specifically,
> "SecurityUtils.subject.principal" will return a non-null value, for
> example the username. So, you can display information relevant to that
> user. However, the access control won't allow the user through until
> he or she has authenticated, for example by entering a valid password.
>
> In other words, a user has three possible states: unrecognised
> (analogous to "guest"), remembered, and authenticated. If you want to
> take advantage of "remember me" easily, use the <jsec:user/> and
> <jsec:principal/> tags, both of which will output stuff if the user is
> either remembered or authenticated.
>
> HTH,
>
> Peter
>
>  

>Remember me should be good enough for authorization checks/access control.
>That is, JSecurity as a framework (dunno about the Grails plugin) doesn't
>need the user to be authenticated to perform an access control check
>(role/perm check).
>
>All truly secure parts of an application (access to user account data,
>changing credit card data, etc), should always check to make sure the user
>is authenticated first (in addition to any role or perm checks) before being
>allowed access.  That guarantees the user is who they say they are, whereas
>Remember Me has no such guarantee.
>
>On Fri, Jul 18, 2008 at 12:14 PM, Andrew Bredon <
>[hidden email]> wrote:
>
>> Hi Peter,
>> I am using the jsec plugin, but I dont want my users to have to
>> authenticate every time - I want if they check the remember me checkbox to
>> "auto-login" the user next time they come to the site for say 2 weeks (which
>> is a common way sites around the web do signing in) - how can I do that with
>> jsecurity?
>> thanks,
>> bredo
>>
>> Peter Ledbrook wrote:
>>
>>> Otherwise how exactly does it work? Is it the filters which pass the user
>>>> through if remember me  is used?
>>>>
>>>>
>>>
>>> The "remember me" feature means that a user can come back to your
>>> application and it will remember the user details. More specifically,
>>> "SecurityUtils.subject.principal" will return a non-null value, for
>>> example the username. So, you can display information relevant to that
>>> user. However, the access control won't allow the user through until
>>> he or she has authenticated, for example by entering a valid password.
>>>
>>> In other words, a user has three possible states: unrecognised
>>> (analogous to "guest"), remembered, and authenticated. If you want to
>>> take advantage of "remember me" easily, use the <jsec:user/> and
>>> <jsec:principal/> tags, both of which will output stuff if the user is
>>> either remembered or authenticated.
>>>
>>> HTH,
>>>
>>> Peter
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>   http://xircles.codehaus.org/manage_email
>>
>>
>>
>

> I believe the plugin does need the user to be authenticated to test for a role and pass through the security filter?
>
> Or am i writing my security filters incorrectly?
>
> i use something like:
>
> x(controller:"x", action:"y") {
> before = {
>  accessControl {
>    role("User")
>  }
> }
>
> I am trying to achieve the same type of functionality as Andrew

>> By default, the "auth" parameter would be treated as 'true' and
>> interpreted as requiring authentication. If set to 'false' as above,
>> then the access control would accept users that are remembered (but
>> not authenticated). How does that sound?
>>    
>
> Actually, it's a bit harsh to required you to add an "auth: false"
> parameter everywhere, so I also need to add a config option that
> allows you to determine whether auth is required by default or not.
> I'll do that.
>
> Cheers,
>
> Peter
>
>  

>> By default, the "auth" parameter would be treated as 'true' and
>> interpreted as requiring authentication. If set to 'false' as above,
>> then the access control would accept users that are remembered (but
>> not authenticated). How does that sound?
>>    
>
> Actually, it's a bit harsh to required you to add an "auth: false"
> parameter everywhere, so I also need to add a config option that
> allows you to determine whether auth is required by default or not.
> I'll do that.
>
> Cheers,
>
> Peter
>
>