When are the authorizingRealm methods called ?

[Albert Kam <mo...@gmail.com>]

Please correct my understanding on this matter :

I am currently extending AuthorizingRealm, overriding
both doGetAuthorizationInfo and doGetAuthenticationInfo.
I am also using a custom authorizingRealm for both authentication n
authorization and returning a simpleAccount subclass instance for both
authentication and authorization methods for the realm.

I am wondering when are these 2 methods called, like do the results
(authorizationInfo & authenticationInfo) get cached in the local thread ?

My assumption is doGetAuthenticationInfo is called whenever login happens
(where shiro creates the principals and stuffs from the credentials, and
stores to simpleSession, and then get passed to custom session dao).

And doGetAuthorizationInfo is called whenever permission related methods
like Subject.isPermitted or isRole methods are called (where shiro calls
the authorizationInfo methods to get all the permissions).

My questions in mind are more to the performance problems if things are
required over and over again within a single web request/response : Should
i care to cache authorizationInfo (in my custom realm) and
authenticationInfo (should be needless for authenticationInfo, since it's
been stored to session, and shiro will make use of it, correct ?)

And whether it's a good approach where we requery all the permissions with
every web request/response, or should we keep it on the session which can
be renewed whenever it's stale ?

Sorry for the confusing question. Still quite new with Shiro.

-- 
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)