shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Too many threads created when calling isPermitted()
Date Thu, 16 May 2013 16:43:40 GMT
It is expected that all available realms are configured on the
SecurityManager at application startup.  The SecurityManager will
coordinate the Realms (often through an Authenticator or Authorizer)
instance during authentication and authorization.

A Realm can choose to participate in an authentication attempt by
implementing the supports(AuthenticationToken) method.

A Realm can choose to participate in an authorization check by
returning null or false (depending on the method being called).  Also,
for AuthorizingRealm implementations (as most Realms are), you can, in
the doGetAuthorizationInfo method implementation, inspect the
PrincipalCollection argument.  If your realm recognizes the
PrincipalCollection, it can return an AuthorizationInfo instance.  If
it doesn't recognize it, it can return null.

The sequence for Realm authorization is covered here:

Also, I highly recommend seeing the AuthorizingRealm source code so
you can get a feel for how it works and what features there are that
you can leverage (e.g. authorization caching):

Les Hazlewood | @lhazlewood
CTO, Stormpath | | @goStormpath | 888.391.5282

On Wed, May 15, 2013 at 3:51 PM, ApacheNinja <> wrote:
> Hello,
> After further investigation I see the problem but I do not know why it is
> doing this.   I see the DefaultSecurityManager has an Authorizer object that
> has a list of realms.  We have 2 types of realm objects: A PortalRealm and a
> PortalBaselineRealm.   When the isPermitted() is called for a user, it
> should use the PortalRealm object.  However, running the debugger I see that
> there is 1 object in the realms list and it is a PortalBaseRealm.  It should
> be the PortalRealm.  This only started happening when changed the code to
> use one Security Manager.  This does not happen when I create a new Security
> Manager object each time I authenticate (the old way).  We are setting the
> realm on the Security Manager object via securityManager.setRealm(realm).
> Thank you for your help in advance.
> --
> View this message in context:
> Sent from the Shiro User mailing list archive at

View raw message