Sorry, please ignore my e-mail.
On Mon, 2025-09-22 at 07:36 +0700, Andreas Reichel wrote: > Hi Lenny, > > thank you for prompt response. Maybe my understanding is just wrong. > > Example: > > realmBF.groupRolesMap = "CN=IFRS-Vbox Admin Burkina > Faso,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_ADMIN", "CN=IFRS-Vbox Manager > Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_MANAGER", "CN=IFRS-Vbox > Officer Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_OFFICER", > "CN=IFRS-Vbox Operator > Cameroon,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_OPERATOR", "CN=IFRS-Vbox > Reporter Cameroon,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_REPORTER", > "CN=RISK-Vbox Admin Burkina > Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_ADMIN", "CN=RISK-Vbox Manager > Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_MANAGER", "CN=RISK-Vbox > Officer Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_OFFICER", > "CN=RISK-Vbox Operator Burkina > Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_OPERATOR", "CN=RISK-Vbox Reporter > Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_REPORTER" > realmBF.ldapContextFactory = $contextFactory > realmBF.searchBase = "OU=Users,OU=Burkina Faso,OU=International > Countries,DC=xxxxx,DC=com" > > From what I can see, `boolean[] hasRoles(List<String> > roleIdentifiers, AuthorizationInfo info)` will call `hasRole()` and > this checks every single role of the map one by one, right? > I can see nowhere that `getRoleNamesForUser()` was called? > > Best regards > Andreas > > > > On Sun, 2025-09-21 at 19:30 -0500, [email protected] wrote: > > Hmmm… as far as I can tell, hasRole() does only look up in a hash > > map. Are you sure that has the performance implications you think > > it does? > > FYI I was just looking at the code, and I don’t see an issue there. > > > > > > > On Sep 21, 2025, at 5:12 PM, Andreas Reichel <andreas@manticore- > > > projects.com> wrote: > > > > > > > > > Greetings. > > > > > > I have a very complex Shiro Active Directory setup with 20 realms > > > and each has a role map with 10 elements. > > > Querying AD one by one takes long of course. And so I do wonder: > > > > > > > > > 1) ActiveDirectoryRealm extends AuthorizingRealm > > > > > > 2) AuthorizingRealm provides the method > > > > > > protected boolean[] hasRoles(List<String> roleIdentifiers, > > > AuthorizationInfo info) > > > > > > (Which still loops through one by one, calling `hasRole(roleName, > > > info);`). > > > > > > 3) ActiveDirectoryRealm provides the method > > > > > > protected Set<String> getRoleNamesForUser(String username, > > > LdapContext ldapContext) > > > > > > which fetches all the `memberOf` attribute values at once. > > > > > > 4) But as far as I can see, ActiveDirectoryRealm does not > > > override hasRoles() to make use of getRoleNamesForUser() and I > > > wonder why? Also, > > > > > > In case that is an oversight only, should I craft a PR? > > > > > > Thank you, best and cheers > > > Andreas > > >
