Both Jared's and Phil's suggestions are the appropriate solutions: If
you're trying to access that company ID (e.g. tenant id) just for
access control behavior, it would make sense to represent that company
ID in a permission. However, if you'd like to access that ID for
other reasons as well, adding it to the PrincipalCollection returned
by your Realm is the way to go. Principals are just 'identifying
attributes' of a Subject - they can be whatever you want. Or you can
use both techniques, depending on your needs.
By convention though, just make sure that the first principal in the
collection is your Subject/User's 'primary' principal - usually an
application-unique user id or email or username or something like
that.
In upcoming versions of Shiro, the PrincipalCollection will very
likely become a PrincipalMap (a sub-interface probably to retain
backwards compatibility). Then you'll be able to do things like this:
subject.getPrincipals().get("companyId") --> companyId
or, for example, if using Groovy: subject.principals.companyId (pretty slick)
I've already made some progress on this, and would love for any
feedback if anyone wants to take a peek (it's in trunk only and isn't
supported anywhere yet):
https://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/subject/PrincipalMap.java
https://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/subject/SimplePrincipalMap.java
(please direct comments to the dev list if you'd like to discuss the
above two concepts).
Cheers,
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
