Page History

...

Consider the case of a user account that is registered configured for both the Shiro ini realm and an LDAP realmrealms. Such a simple example configuration is shown in the listing below. A publicly accessible LDAP server (here, the server from forumsys.com) is used in this example to allow the configuration to be implemented by 'cut and paste' and a minimum of modification.

...

• If the securityManager.realms parameter is specified ( Explicit realm ordering):
  • The authorization information provided by the user logging in will be only be checked against the realms listed in the securityManager.realms parameter: realms . Realms configured in the [main] section but not listed in the securityManager.realms parameter will be ignored. 
  • The authorization information provided by the user logging in will be checked against each realm account in the order in which realms are specified in a the securityManager.realms parameter. In the example, this would be first the publicLdapRealm and then the iniRealm.
• If the securityManager.realms parameter had not been specified ( implicit realm ordering):
  • The authorization information provided by the user logging in would have been checked against each realm account in the order in which realms were listed in the [main] section of the shiro.ini file. In the example, this would be first the iniRealm and then the publicLdapRealm.

Note that Explicit and implicit realm ordering is described in more detail in the 'Realm Authentication' section of on the Shiro Authentication web site.

...

When an LDAP realm user account is authenticated and there is an iniRealm with the same user name but this ini realm is not listed in the  securityManager.realms parameter, then by default role(s) configured for the ini realm account will be merged together with those of the LDAP realm account. Note that this will occur , regardless of whether or not the same password is used for both realm accounts.

...