> Shiro defines a principal as "an identifying attribute of a Subject". > For example, username, user ID, etc. These are all attributes or > "properties' if you like. A principal is expected to be a pointer to > data and not expected to be an actual complex object itself. The > reason for this is twofold: > > 1. Shiro will (optionally encrypt) and serialize a Subject's > PrincipalCollection (and therefore all of the principals it contains) > and store this byte array as the "rememberMe" cookie for remember me > services (if you use RememberMe). The bigger the principal > collection, the bigger performance impact it would have on your app in > serializing/deserializing.
I should have added a #3 to this list, but did talk about it later in my reply: Sessions. If using Sessions, this same serialization is performed if a session is serialized because the PrincipalCollection is stored as a session attribute. The fewer principals and the more lightweight they are, the better this will be for application performance (which is true of any data that might be stored in a session). Cheers, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
