I've added a RolePermissionResolver to my realm, but I still can't get another realm's roles to resolve the permissions.
Seems like the RolePermissionResolver will resolve permissions for the roles provided by the realm itself: AuthorizingRealm#resolveRolePermission() is the method that invokes the RolePermissionResolver. It is private and takes a AuthorizationInfo as an argument. The AuthorizationInfo instance is built by the realm itself from the PrincipalsCollection. So in fact, it will never contain roles from other realms. I don't see any way of looking up permissions in a custom realm for roles defined in another. I'm fairly confident that my use-case is valid: LDAP authenticates users and provides principals (usernames and groups); users and groups are provided permissions in my custom realm. I thought I could map groups to roles in Shiro and lookup permissions based on these, but Shiro treats roles as authorization tokens, not as principals (is this correct?) Is a role a principal or a permission? I would think it's a principal since the use of a role is to provide permissions: either through ACL or through a containment check: isUserInRole(). Thanks, Philippe -- View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-realms-and-roles-tp6178792p6184615.html Sent from the Shiro User mailing list archive at Nabble.com.
