> it seems Shiro is very tightly coupled to both authentication and > authorization—it just really, really, /really/ wants to do both. >
They are very nearly perfectly decoupled, by design. The AuthorizingRealm JavaDoc ( http://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/realm/AuthorizingRealm.html) - linked to from the main Realm interface - states that you can just call getAuthorizationInfo with a PrincipalCollection argument, and you'll get all the authz info you need. This is not coupled to authentication *at all**. Create a SimplePrincipalCollection instance that wraps whatever identity you want, and then call the getAuthorizationInfo method. The Realm implementation finds the relevant identity and then looks up whatever it needs to from the underlying data store. You can look at the AuthorizingRealm implementation to see how permission and role checks are performed - you can use them out of the box, or override them for your own special comparison logic - whatever works for your use case. As for documentation, I'm *always* looking for suggestions to improve it for the community. The Shiro team requests *constructive* criticism from the community - offers to help, identifying gaps and then providing suggestions for specific improvements, and *especially* patches to our site (http://svn.apache.org/repos/asf/shiro/site/trunk/). Complaining that the docs are "cryptic and incomplete" does nothing for anyone - only when suggestions are made for improvement can we put a stake in the ground and move forward. So, I ask - where are the gaps? What was hard to understand? Where can we fill in more information that would make things easer? I'm quite happy to address these things, but this project can only become better with the support of the community - no one works on Shiro as their full-time day job, so we rely on each other for help.
