I agree that we should make this as efficient as possible, but I don't understand the comment about realms changing at runtime.
If you have more than one realm, and even if they don't change at runtime, you need to store each realm's name as well as each of its principals so you know from where they came. Many realm implementations depend on this. For example, inside the realm implementation: String myName = getName(); Set myPrincipals = principals.fromRealm(myName); Even the single-realm case needs to support that case so the Realm implementation still works. The PrincipalCollection#getRealmNames() still needs to work as expected also. I guess in a single realm case, you could do some trickery where if there is only one realm, you look it up from the SecurityManager and assume that Realm name at runtime is the same one that was used when the cookie was created. Seems a little kludgy to me. Regards, Les
