Hi Nassos, If you're subclassing the AuthorizingRealm class, as it sounds like you are, Shiro will perform the permission checks for you already - just ensure your doGetAuthorizationInfo method returns an AuthorizationInfo instance (SimpleAuthorizationInfo is fine in most cases).
the doGetAuthorizationInfo method implementation is supposed to look up the Subject's roles and permissions pertinent to that particular Realm. For example: Collection thisRealmsPrincipals = principalCollection.fromRealm(getName()); Most of the time this collection will only have a single element - for example, a username, a Long user ID, etc. If so, you can simply call the 'getAvailablePrincipal(PrincipalCollection)' method in your subclass - read its JavaDoc to see what it does. Based on that element, you can query your datasource for any and all roles and/or permissions assigned to them. Then you bundle this up in, say, a SimpleAuthorizationInfo instance and return it. The AuthorizingRealm superclass knows how to take that instance and use it to actually perform the permission checks. Now, this exists as a convenience - most people don't want to inspect the permission or role arguments and want to have AuthorizingRealm take care of all the 'dirty work' automatically. You should probably use this approach (and use caching!) if you can as it will greatly simplify your work. However, if you have specific requirements or you want full control over how the check occurs, you can override any of the org.apache.shiro.authz.Authorizer methods (all Realms extend this interface) and look at the method argument to do whatever you want. Look at the AuthorizingRealm's source code [1] and you'll see exactly how this works - you can override whatever you want to do it your own way if you wish (look at the isPermitted(PrincipalCollection, String permission) method implementation as a starter). Best regards, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com [1] http://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java
