Thanks for you input! I used LDAP as an example, but this also applies to any other realm, such as IniRealm:
[users] user=password,mygroup [roles] # no permissions defined here for mygroup (but there could) And I have another realm that hits a database for fetching permissions for 'mygroup'. Why am I not setting a RolePermissionResolver on my IniRealm? Because I'm not the one writing this file. The file is left open to configuration by users. They are able to add other realms (LDAP, AD, whatever), but my applications offers a custom realm for storing application-specific permissions for existing users and groups. I guess I'd need to tell them to add my RolePermissionResolver to their configured realm. To me, this sounds more like a workaround, but would definitely work. As for roles being principals, here's my take on it: PrincipalCollection->Roles (AuthorizingRealm) Role->Permissions (RolePermissionResolver) and PrincipalCollection->Permissions (AuthorizingRealm) The first 2 methods could be re-written as: PrincipalCollection->Roles->Permissions (AuthorizingRealm + RolePermissionResolver) Which, in a functional sense should be equivalent to: PrincipalCollection->Permissions (AuthorizingRealm + RolePermissionResolver) So, functionally, a set of roles really is a equivalent to a set of principals as we can derive permissions from both. If roles were part of the PrincipalsCollection, then, as you mentioned, a single method would ever be needed to resolve all permissions for a given set of principals: PrincipalCollection->Permissions (AuthorizingRealm) Anyway, this won't change soon, so I'll make some modifications to "inject" my RolePermissionResolver into the user-configured realms. Thanks again! Philippe -- View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-realms-and-roles-tp6178792p6185062.html Sent from the Shiro User mailing list archive at Nabble.com.
