See issue JOC-437 for more information.
The following points apply for a multi-realm environment and where one of the realms is the ini realm:
A) When the SOS Authenticator is used with the First Successful strategy:
- If the authorization occurs through the ini realm then the user account will only be assigned the roles specified for the ini rolerealm.
- If the authorization occurs through a realm other than the ini realm then, regardless of whether or not the same password is used in each realm:
- the user account will be assigned the role(s) specified for the account in the authorizing realm
- the user account will also be assigned the role(s) specified for the account in the ini realm (from our point of view this is an error in Shiro).Note that the authorization can come from the ini realm because
- the order in which the realms are specified in the
securityManager.realms parameter is not significant here.
- Note that the authorization can come from the ini realm because
- a) the password is incorrect or
- b) another realm was listed before the ini realm and could allow the authentication
B) When using the At Least One Successfull strategy:
C) When using the All Successfull strategy: