When is that method 'allowed' to be called? That is, does a Shiro end-user write this:
subject.assumeIdentity(anotherSubject);
Or would we expect them to write the following (where they maintain
when it is 'legal' to call the method):
if ( subject.isPermitted("identity:assume") ) {
subject.assumeIdentity(anotherSubject);
} else {
throw new UnauthorizedException(...);
}
?
- Les
