Description
in class AuthorizingRealm, the isPermitted( ... checks never look if the the permissionResolver are set but allways will query them in case a permission reqeust os asked for.
Solutions:
1. catch empty/ null permissionResolver in Authorizingrealm
2. force that all derived AuthorizingRealms have a permissionResolver by making this required in the constructor
3. defaultset the current only implementation (WildcardPermissionResolver) into the getPermissionResolver method so either this one is used or it has to be overwritten
I would suggest 2. as its most clean and will fail/ force to be cared with at compiletime already.
PS: this is the issue described in my mailing to list
http://mail-archives.apache.org/mod_mbox/shiro-user/201012.mbox/browser