This is the second time this is happening to me. I have decided to pay a closer attention this time. It appears sometimes when doGetAuthorizationInfo(PrincipalCollection principals) in the Authorizing realm is called the UsernamePasswordToken passed is that of another user.
The trace below explains what I am trying to get at:
fetching List<Role> user1 from cache.. fetching List<Permission> user1-role from cache..
Those are print outs from the custom implementation of the AuthorizingRealm.
Basically, I get the principals:
String user = (String) getAvailablePrincipal(principals);
and I fetch the roles for that user (which prints out the >>> fetching List<Role> ..... line). Surprisingly, the user being printed is user1, when in reality the user that made the call is user2.
The question is, why is getAvailablePrincipal(principals) returning user1 instead of user2? Is that the right call to make to know the current owner/user of that context? I believe getAvailablePrincipal(principals) should return the user in the SHIRO_SECURITY_TOKEN header, but this is not happening.
I will appreciate if someone can throw more light into how this works.