@Brian: Is this behavior of FirstSuccessfulStrategy by design or is it a bug? To me it seems wrong that authorization is checked against a realm which was not authenticated against - after all, that second authentication might fail, if it were to be tried.
-- Sent from: http://shiro-user.582556.n2.nabble.com/
