On Sep 15, 2009, at 1:18 PM, Les Hazlewood wrote:
Well, yes, it is up to interpretation, but that's ok - each Realm has
control over that already when it constructs the PrincipalCollection
that represents its own data.
By this statement do you mean that it does this by placing the
"primary" principal first in the collection?
But by our own convention, the 'primary' one is the first in the
collection (default behavior in all of our Realm implementations).
Our default Subject#getPrincipal() implementation assumes this - it
returns getPrincipals().iterator().next(); as the 'primary' one. But
our assumption is not as solid as I would like for such a key concept
in the API.
The new method would be even more helpful multi-Realm scenarios: when
one or more realms are consulted during login, everything gets merged
into one final aggregate PrincipalCollection. Again, we assume the
'primary' to be the first iterated element, which, in a multi-Realm
scenario, amounts to the first realm's first iterated element, which
is a heuristic.
That means if you want a universal identifier in your application -
Subject#getPrincipal() - you need to make sure that the Realm
responsible for that identifier is the first one in the Realm chain -
its not explicit at all and can be confusing when configuring your
Realms for the first time.
My thought is that adding the method
1. materializes something we already discuss frequently (which to me
means it probably should be represented in code somewhere) and
2. allows an end-user exact control over what the 'primary' principal
would be if they don't like our default heuristics.
By overriding PrincipalCollection.getPrimaryPrincipal(). Seems ok to
me.
My .02,
Les
On Tue, Sep 15, 2009 at 3:53 PM, Alan D. Cabrera
<[email protected]> wrote:
On Sep 15, 2009, at 12:22 PM, Les Hazlewood wrote:
I propose that we add a 'getPrimaryPrincipal()' method to the
PrincipalCollection interface.
We regularly talk about the 'primary' principal, and it is
referenced
in many applications, but you need to resort to less-than-ideal ways
of accessing it (see
https://svn.apache.org/repos/asf/incubator/shiro/trunk/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java
- 'getAvailablePrincipal' - at the bottom of the file).
Most applications reference a single principal at runtime (e.g.
user/account ID), and I think it would clean up code.
Isn't what is thought of the primary principal up to different
interpretations? Some realms may want it one way and others another.
Regards,
Alan
