Interface AuthenticationInfo

All Superinterfaces:
Serializable
All Known Subinterfaces:
Account, MergableAuthenticationInfo, SaltedAuthenticationInfo
All Known Implementing Classes:
SimpleAccount, SimpleAuthenticationInfo
public interface AuthenticationInfo extends Serializable
AuthenticationInfo represents a Subject's (aka user's) stored account information relevant to the authentication/log-in process only.

It is important to understand the difference between this interface and the AuthenticationToken interface. AuthenticationInfo implementations represent already-verified and stored account data, whereas an AuthenticationToken represents data submitted for any given login attempt (which may or may not successfully match the verified and stored account AuthenticationInfo).

Because the act of authentication (log-in) is orthogonal to authorization (access control), this interface is intended to represent only the account data needed by Shiro during an authentication attempt. Shiro also has a parallel AuthorizationInfo interface for use during the authorization process that references access control data such as roles and permissions.

But because many if not most Realms store both sets of data for a Subject, it might be convenient for a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo. Whether you choose to implement these two interfaces separately or implement the one Account interface for a given Realm is entirely based on your application's needs or your preferences.

Please note: Since Shiro sometimes logs authentication operations, please ensure your AuthenticationInfo's toString() implementation does not print out account credentials (password, etc.), as these might be viewable to someone reading your logs. This is good practice anyway, and account credentials should rarely (if ever) be printed out for any reason. If you're using Shiro's default implementations of this interface, they only ever print the account principals, so you do not need to do anything additional.

Since:
0.9
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    Object
    getCredentials()
    Returns the credentials associated with the corresponding Subject.
    PrincipalCollection
    getPrincipals()
    Returns all principals associated with the corresponding Subject.

  • Method Details

    • getPrincipals

      PrincipalCollection getPrincipals()
      Returns all principals associated with the corresponding Subject. Each principal is an identifying piece of information useful to the application such as a username, or user id, a given name, etc. - anything useful to the application to identify the current Subject.

      The returned PrincipalCollection should not contain any credentials used to verify principals, such as passwords, private keys, etc. Those should be instead returned by getCredentials().

      Returns:
      all principals associated with the corresponding Subject.

    • getCredentials

      Object getCredentials()
      Returns the credentials associated with the corresponding Subject. A credential verifies one or more of the principals associated with the Subject, such as a password or private key. Credentials are used by Shiro particularly during the authentication process to ensure that submitted credentials during a login attempt match exactly the credentials here in the AuthenticationInfo instance.
      Returns:
      the credentials associated with the corresponding Subject.