As I understand it, Apache Shiro distinguishes two types of authentication:
subject.isAuthenticated() = the subject input credentials during this session
subject.isRemembered() = the subject is remembered from a previous session.
Due to the nature of these definitions, either one, or both, can be true.
For an app where security is not a top concern (i.e. I'm not worried about the chance that someone might do something while only being remembered from a past session, and not having authenticated), is it acceptable to just use boolean auth = sub.isAuthenticated() || sub.isRemembered() to check if a user is logged in? If not, what's a better way?
Remembered != Authenticated - This is key.
For your application, don't check either one, just check for a permission or role instead, if in the future you don't want to allow remember me, you can just disable it via a configuration line.