As it is my authorizing realm cannot be used without an authentication realm. It returns a hard-coded value of false in supports(AuthenticationToken token) and expects an authenticatingRealm to place the username in the PrincipalCollection for lookups in the database.
Hitting the database twice won't be a showstopper for me. I was just trying to confirm that I understood your suggestion correctly as I projected forward all that would need to be done. At the root, I'm simply trying to display in a footer of the web application some context for the active user so that it is clear who they are logged in as and what roles they have been granted. If there was a Shiro API call that returned all of the roles granted by all realms combined, that would be the end of this. But it doesn't seem to currently exists as far as I can tell. I assume this to support realms that do not obtain a full list at-login and instead handle each role/permission check as needed. Some user profile information is already being placed into the PrincipalCollection by the authentication realm (pac4j casClient). This profile object (https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/profile/UserProfile.java) contains various user attributes from the authentication back-end including roles that are assigned by that realm. My application currently displays this information on the footer. However, my authorization realm doesn't have a way to add the roles that it loads from a different database to the list of principals (for later display on the footer). I'll certainly look more into converting my authorizing realm into one with a no-op authentication but this will require some explicit documentation to ensure that it is always paired with an authenticating realm since on its own, it would blindly accept all credentials. Any other ideas would be helpful. Thanks. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Principal-added-by-AuthorizingRealm-tp7581171p7581175.html Sent from the Shiro User mailing list archive at Nabble.com.
