>From the documentation http://shiro.apache.org/authentication.html#Authentication-Step1%3ACollecttheSubject%27sprincipalsandcredentials : /Shiro has 3 concrete AuthenticationStrategy implementations: AuthenticationStrategy class Description AtLeastOneSuccessfulStrategy If one (or more) Realms authenticate successfully, the overall attempt is considered successful. If none authenticate succesfully, the attempt fails. FirstSuccessfulStrategy Only the information returned from the first successfully authenticated Realm will be used. All further Realms will be ignored. If none authenticate successfully, the attempt fails. AllSuccessfulStrategy All configured Realms must authenticate successfully for the overall attempt to be considered successful. If any one does not authenticate successfully, the attempt fails./
I have not verified whether this applies to authorization, too, but what I fancy is that a subject is by default authenticated to every configured realm and for every realm where this succeeds, that realms specific role and permissions are added to the subjects list of roles and permission. example: realm1 subject authenticates -> role1 and permissions1 from this realm are added to subject realm2 subject does not authenticate, role2 and permissions2 are NOT added to subject realm3 subject authenticates -> role3 and permissions3 from this realm are added to subject So, in shiro you have subjects that are linked to roles and permissions authenticated and authorized through individual realms, instead of person / actor linked to multiple subjects. *If I am writing nonsense here, please people, correct me!* -- View this message in context: http://shiro-user.582556.n2.nabble.com/Does-an-overarching-concept-of-a-Actor-or-similar-exist-that-combines-multiple-Subjects-tp7579210p7579215.html Sent from the Shiro User mailing list archive at Nabble.com.
