Hi all, I have a question about the ModularRealmAuthorizer implementation (Shiro version 1.3.2). There are 2 methods to check multiple permissions: public boolean[] isPermitted(PrincipalCollection principals, String... permissions) public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions)
Both of these implementations does a loop to call the isPermitted method with a single permission. So the AuthorizingRealm method doGetAuthorizationInfo is called at each iteration. (we aren’t using cache) Since the AuthorizingRealm has a specific implementation for the isPermitted method with multiple permissions we tried to use it customizing the ModularRealmAuthorizer. In Kapua project we wrote a custom ModularRealmAuthorizer implementation (see [1]) to reduce the doGetAuthorizationInfo calls count (with the "at least one realm” as result aggregation strategy). In the ModularRealmAuthorizer did you implement the isPermitted method with the for loop to use the realm aggregation strategy configuration for the realms results? If not, is it possible to change the implementation to make it more performant (avoiding multiple doGetAuthorizationInfo)? Thank you Riccardo [1] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/security/EnhModularRealmAuthorizer.java#L47
