Hi I just faced this strange situation, and I'm mostly sure Shiro should behave differently... at least I hope it can.
My application is Spring based. A parent application context contains all business and DAO objects, with Shiro role annotations on the business methods. Linked to this parent there is a WAR context with my secured application; it uses Spring MVC, Shiro URL filter, JDBC based authentication and authorization, and works perfectly (protects URLs, require login when not authc, blocks unauthorized access, both URL and business methods). Now I needed to access the same parent context from another WAR context. This context is Servlet based (no Spring MVC), and I only needed a couple of beans in only one Servlet, so I didn't used IoC and retrieved the beans manually. Think of it as a public website, using some beans to list non-critical and/or public data, or store contact requests submitted through a contact form. I used the sample in the following site for this parent context: http://blog.springsource.com/2007/06/11/using-a-shared-parent-application-context-in-a-multi-war-spring-application/ My code to access the parent container is this (just got it working, and don't know if this is not a nice way to do it): BeanFactoryLocator bfl = ContextSingletonBeanFactoryLocator.getInstance(); BeanFactoryReference bfr = bfl.useBeanFactory("myAppParentContext"); BeanFactory bf = bfr.getFactory(); MyService bean = (MyService)bf.getBean("myBean"); Object x = bean.someMethodThatRequireRoles(); The service: public interface MyService { ... @RequiresRoles(value = "someRole") public Object someMethodThatRequireRoles() {...} } The issue is that any method accessed in these beans from the second (public site) context do not perform any kind of security check. I accessed role-restricted methods in my business beans, and no exception was thrown. I also checked, and they are the same bean objects used by my secure first context, also I was not logged in to provide authorization, and the role-checking methods in AuthorizingRealm were never invoked. I don't know why this is happening but I'd not like to leave it as it is. Is this a known scenario? How can I enable the security checks? If any other info/code is needed to understand this, just ask me and I'll post it ASAP. Thanks!
