On Mon, Mar 12, 2012 at 9:52 PM, dsavenko <[email protected]> wrote: > could anyone please tell me about thread safety consideration while using > Shiro? > My question is should I protect authenticate() call here by synchronization? > And does it depend on whether MyRealm is thread safe or not? And a more > common question: should custom realms be thread safe?
You'll create a major scalability bottleneck if you synchronize calls to authenticate() in a filter. Also, you are bypassing a few layers there by operating on securitymanager directly - in the usual case you should be calling Subject.login() (http://shiro.apache.org/static/current/apidocs/org/apache/shiro/subject/Subject.html). You are calling the realm from a filter, so the exact same design principles apply to implementing your realm as for implementing any filter: your realm should be stateless, immutable and blocking (i.e. not threaded). You should be extra careful if you are trying to do something clever for passing the state from doGetAuthenticationInfo() to doGetAuthorizationInfo(), which, I'm guessing, is why you are asking about it. Typically, you are better off relying on the caching system implemented outside the realm (say if you needed to pull the user data in both operations). Kalle
