I still believe that for a single realm this isn't the case, as stated in the javadoc for the code you referenced: If only one realm is configured (this is often the case for most applications), authentication success is naturally only dependent upon invoking this one Realm's org.apache.shiro.realm.Realm.getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken) method.
What I don't understand, is how overriding the doGetAuthenticationInfo affects this call chain. But, I do agree that even the code for the single realm authentication throws only an AuthenticationException. And that getAuthenticationInfo method is final, so overriding it isn't possible. To hard to create a simple exception strategy, IMO. -- View this message in context: http://shiro-user.582556.n2.nabble.com/ExcessiveAttemptsException-How-to-configure-tp4534742p7580598.html Sent from the Shiro User mailing list archive at Nabble.com.
