> What I have also noticed is that doGetAuthenticationInfo an > doGetAuthorizationInfo make 2 separate calls to the user management system. > What is the reason behind that? Shouldn't the second call be part of getting > user info for authentication?
Hi Jack, The reason for this is that the two concerns are orthogonal - I can authenticate a user and never need to see his authorization information. Also, on the other side of the coin, as long as I have an identifier (username, user ID, etc), I can perform authorization, even if the user hasn't been authenticated (for example, think of "remember me" - if a user is just remembered and not authenticated, I can still control access to things based on just their remembered identity). Now, an argument can definitely be made that many times if you authenticate an account, you will very shortly perform authorization for it and that it would be more efficient to acquire authz info as part of authentication. This could certainly be done, but would be an enhancement/feature request. Please open a Jira issue if you think we should address this. HTH! Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
