Hi Lenny, thank you for prompt response. Maybe my understanding is just wrong.
Example: realmBF.groupRolesMap = "CN=IFRS-Vbox Admin Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_ADMIN", "CN=IFRS-Vbox Manager Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_MANAGER", "CN=IFRS-Vbox Officer Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_OFFICER", "CN=IFRS-Vbox Operator Cameroon,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_OPERATOR", "CN=IFRS-Vbox Reporter Cameroon,OU=Groups,DC=xxxxx,DC=com":"IFRSBOX_BF_REPORTER", "CN=RISK-Vbox Admin Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_ADMIN", "CN=RISK-Vbox Manager Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_MANAGER", "CN=RISK-Vbox Officer Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_OFFICER", "CN=RISK-Vbox Operator Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_OPERATOR", "CN=RISK-Vbox Reporter Burkina Faso,OU=Groups,DC=xxxxx,DC=com":"RISKBOX_BF_REPORTER" realmBF.ldapContextFactory = $contextFactory realmBF.searchBase = "OU=Users,OU=Burkina Faso,OU=International Countries,DC=xxxxx,DC=com" From what I can see, `boolean[] hasRoles(List<String> roleIdentifiers, AuthorizationInfo info)` will call `hasRole()` and this checks every single role of the map one by one, right? I can see nowhere that `getRoleNamesForUser()` was called? Best regards Andreas On Sun, 2025-09-21 at 19:30 -0500, [email protected] wrote: > Hmmm… as far as I can tell, hasRole() does only look up in a hash > map. Are you sure that has the performance implications you think it > does? > FYI I was just looking at the code, and I don’t see an issue there. > > > > On Sep 21, 2025, at 5:12 PM, Andreas Reichel <andreas@manticore- > > projects.com> wrote: > > > > > > Greetings. > > > > I have a very complex Shiro Active Directory setup with 20 realms > > and each has a role map with 10 elements. > > Querying AD one by one takes long of course. And so I do wonder: > > > > > > 1) ActiveDirectoryRealm extends AuthorizingRealm > > > > 2) AuthorizingRealm provides the method > > > > protected boolean[] hasRoles(List<String> roleIdentifiers, > > AuthorizationInfo info) > > > > (Which still loops through one by one, calling `hasRole(roleName, > > info);`). > > > > 3) ActiveDirectoryRealm provides the method > > > > protected Set<String> getRoleNamesForUser(String username, > > LdapContext ldapContext) > > > > which fetches all the `memberOf` attribute values at once. > > > > 4) But as far as I can see, ActiveDirectoryRealm does not > > override hasRoles() to make use of getRoleNamesForUser() and I > > wonder why? Also, > > > > In case that is an oversight only, should I craft a PR? > > > > Thank you, best and cheers > > Andreas >
