UAA Shiro Notes

RequiresUser annotation

Requires the current Subject to be an application user for the annotated class/instance/method to be accessed or invoked. This is less restrictive than the RequiresAuthentication annotation.

Shiro defines a “user” as a Subject that is either “remembered” or authenticated:

  • An authenticated user is a Subject that has successfully logged in (proven their identity) during their current session.
  • A remembered user is any Subject that has proven their identity at least once, although not necessarily during their current session, and asked the system to remember them.

Note however that when a new session is created for the corresponding user, that user’s identity would be remembered, but they are NOT considered authenticated