Based on what I've read in the documentation about PrincipalCollections, they should be able to accept multiple identical elements, however I discovered that this was not the case. Based on what I could see of the Shiro code, it looked like it should work because everything underneath was Lists, but it did not.
As background, I have my own Realm implementation, where I overrode the doGetAuthenticationInfo and getPasswordForUser methods. My doGetAuthenticationInfo returns a SimpleAuthenticationInfo instance, which I create using a PrincipalCollection, pwd, and realm name. For a number of reasons I won't go into here, my PrincipalCollection had two elements, a username as their primary Principal (which was the user's email) and their internal ID (an integer). I previously could add those to the PrincipalCollection, and later on when I needed to access them, everything worked fine when I pulled those Principals back out from a Subject. I was adding in authorization to the app, and given that a user's role never really changes and my roles are really simple, I was going to use the same approach to putting in the role in the PrincipalCollection, rather than implementing the Authorization code in Shiro (primarily to avoid the DB hits every time I was checking authorization). The role ID is also an integer. Through a complete fluke, both my user ID and the role ID I was testing out were the same (2). When I implemented the above changes in my code, it would not work at the point where I was pulling the Principals back out from the Subject, giving me an error that the Iterator didn't have a 3rd element to it. After lacing the code with debug statements, I could verify that everything was working except when I went to pull it back out. I even tested the PrincipalCollection.add return result to verify that it was true for the 3rd element. Shiro itself logs the following, though, and this was most interesting: DEBUG org.apache.shiro.realm.AuthenticatingRealm .getAuthenticationInfo:569 - Looked up AuthenticationInfo [email_address_redacted,2] from doGetAuthenticationInfo This section of code logs the PrincipalCollection, and it was obvious that it only had 2 elements, despite me putting three in. I then proceeded to change the third element to be a string, which I knew wouldn't conflict with either of the first two, on the hunch that it was not allowing the duplicate 2's to go in. Sure enough, after I did this it worked fine, and the log showed the three elements. Anyway, I thought I'd pass this along, as it doesn't seem to work as documented. I got mine to work, but this seems to be either a bug or something that should be clarified in the documentation. -- View this message in context: http://shiro-user.582556.n2.nabble.com/PrincipalCollection-not-allowing-duplicate-elements-tp7577521.html Sent from the Shiro User mailing list archive at Nabble.com.
