in a multi-realm environment all realms will be checked. This will produce warnings, e.g. if a user in the ini realm is not known in the ldap realm.
securityManager.realms = $iniRealm, $ldapRealm
will show the warning
Behavior of the Shiro implementation: Even if the FirstSuccessfulStrategy strategy is assigned, all realms will be checked. The cause for this
problem is the class org.apache.shiro.authc.pam.FirstSuccessfulStrategy that is is not properly implemented.
It should be possible to configure the multi-realm behavior in a way that after succesful authentication no more realms are checked.
To achieve this a new shiro authenticator class should be implemented. This authenticator will stop calling realms if one successul authentication was performed and the strategy org.apache.shiro.authc.pam.FirstSuccessfulStrategy is assigned.
If this new authenticator is not used then messages originating from the NamingException should have the severity INFO instead of WARN or ERROR.
Behavior in the SOS implementation: Additionally a new strategy class com.sos.auth.shiro.SOSFirstSuccessfulStrategy should be implemented that works with the standard authenticator.
With this feature there are two alternative ways to get the FirstSuccessfulStrategy behavior:
A: Via Strategy
B: Via Authenticator
Similarity: Only the roles from the first successful realm will be assigned.
Difference: With A all realms will be contacted. With B no more realms will be contacted after the first successful login