Requires the current Subject to be an application
user for the annotated class/instance/method to be
accessed or invoked. This is
less restrictive than the
RequiresAuthentication
annotation.
Shiro defines a "user" as a Subject that is either
"remembered"
or authenticated:
- An authenticated user is a Subject that has successfully logged in (proven their identity)
during their current session.
- A remembered user is any Subject that has proven their identity at least once, although not necessarily
during their current session, and asked the system to remember them.
See the
RememberMeAuthenticationToken JavaDoc for an
explanation of why these two states are considered different.