AuthorizationInfo is something used to simplify the AuthorizingRealm's implementation of the Authorizer interface:
http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authz/Authorizer.html The Authorizer API does not support result operations on purpose (i.e. given user X, show me all of their Groups or Permissions). The reason is that, depending on an application's security data sources, a subject could potentially have hundreds, thousands, or even hundreds of thousands of permissions depending on how many groups are assigned to a Subject and how many permissions are in those various groups. To impose a result API on Realms could be difficult for many Realms and/or cause large inefficiencies with the underlying data store. It is typically better to query the Realm's datasource directly for such result-oriented questions. The simpler (albeit slightly less convenient) yes/no Authorizer operations ensure that authorization operations can be supported regardless of the datasource. The AuthorizingRealm subclass tries to make things more convenient using the AuthorizationInfo concept, but it is not required (i.e. Realm authors can implement the Authorizer methods directly depending on their needs). I hope that helps gives some insight as to why things are the way they are! But, if you have any ideas or suggestions that you think might make things easier/better, please capture them in a Jira issue as recommended by Manoj - this is definitely the best way to get things on our radar. Cheers, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Mon, Oct 31, 2011 at 6:46 PM, Pham Tran Quoc Viet <[email protected]> wrote: > Manoj, > Returning AuthorizationInfo object would be fine too because it has methods > to get roles and permissions. I imagine it would not take long to add this > method. Any ideas when the Shiro's author plans to add this? Thanks. > > On Mon, Oct 31, 2011 at 10:52 AM, Manoj Khangaonkar <[email protected]> > wrote: >> >> Hi Pham, >> >> You will need to write DAO classes/interfaces that go directly to your >> repository or cache and return the data to your UI. >> >> It would be useful for the Shiro framework to add say a >> >> getPermissions method to may be the Subject interface. >> >> Something like >> >> List<Permission> lp = subject.getPermissions() >> >> But it is currently not there. >> >> In my experience , it is necessary to partition permissions based on >> context. So something like >> >> List<Permission> lp = subject.getPermissions(context) >> >> would be even better. >> >> Manoj >> >> On Mon, Oct 31, 2011 at 6:16 AM, Pham Tran Quoc Viet >> <[email protected]> wrote: >> > Manoj, >> > I figured that out after I sent the email. Thank you so much for still >> > answering my stupid question. >> > I hope this question is not as stupid: >> > My application is GXT-based, a framework built on top of GWT. After >> > authentication, I need to gather a list of roles and permissions, which >> > come >> > out of the database, and return to client codes so that it can determine >> > what menu to display. One of the google search result shows that there >> > is no >> > way for me to do that because Subject class does not have any method to >> > deal >> > with it. Wonder what is the cleanest way to do this? I was thinking of >> > instantiating an object of my custom realm and call >> > doGetAuthorizationInfo >> > method. Use session instead? Your thoughts are greatly appreciated. >> > Thanks. >> > >> > On Sun, Oct 30, 2011 at 7:40 PM, Manoj Khangaonkar >> > <[email protected]> >> > wrote: >> >> >> >> subject.isAuthenticated() >> >> >> >> -- Manoj >> >> >> >> On Sat, Oct 29, 2011 at 10:31 AM, Pham Tran Quoc Viet >> >> <[email protected]> wrote: >> >> > Thanks. I got it working. >> >> > Upon posting back, how do I check the fact that the user has been >> >> > logged >> >> > in? >> >> > Thanks. >> >> > >> >> > On Fri, Oct 28, 2011 at 11:35 AM, Manoj Khangaonkar >> >> > <[email protected]> >> >> > wrote: >> >> >> >> >> >> See the Shiro documentation on how to turn on caching. >> >> >> >> >> >> When Caching in turned on , the Realm methods will not get called >> >> >> everytime. >> >> >> >> >> >> Manoj >> >> >> >> >> >> On Fri, Oct 28, 2011 at 6:11 AM, Pham Tran Quoc Viet >> >> >> <[email protected]> wrote: >> >> >> > Hi All, >> >> >> > I have two questions: >> >> >> > 1) How do I initialize both authentication and authorization at >> >> >> > the >> >> >> > time >> >> >> > of >> >> >> > log-in. I want to do this to avoid querying db twice (one for >> >> >> > authentication >> >> >> > and one for authorization)? Any sample code would be the easiest >> >> >> > to >> >> >> > get >> >> >> > me >> >> >> > started. >> >> >> > 2) Each time I call currrentUser.login() (just for testing purpose >> >> >> > as >> >> >> > multiple login does not happen in real >> >> >> > life), doGetAuthenticationInfo >> >> >> > is >> >> >> > called. As a result, db is queried. Each time I call >> >> >> > currrentUser.hasRole(), doGetAuthorizationInfo is then called. As >> >> >> > a >> >> >> > result, >> >> >> > db is queried again. How do I avoid this repeated db queries? >> >> >> > Thanks.
