A user (principal) could be part of multiple realms. Maybe your user authenticates from one realm, and is authorized by a different one. For example, your user/passwords are handled by an LDAP server, but your permissions-to-user mappings are application-specific. This would result in a collection of principals.
The Javadoc for PrincipalCollection, as some great info too: https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/subject/PrincipalCollection.java Many applications just use a single realm and single Principal, in which case you can just call `subject.getPrincipal()` and avoid the `PrincipalCollection` altogether. On Fri, May 15, 2020 at 11:10 AM Alex Sviridov <[email protected]> wrote: > Hi all, > > I am learning Shiro and can’t understand why in > AuthorizingRealm#doGetAuthorizationInfo(PrincipalCollection pc) > we have `PrincipalCollection pc` but not `Principal p`. By other workds, > why collection? > > Could anyone explain? > > -- > Alex Sviridov >
