I have been analyzing the operation of this framework in order to understand its operation but I have come across the following:
Is the main object SecurityManager, which is in charge of all security, created on every request? or, is it a static object that is created at application startup?
I don't understand why the SecurityManageris taken ThreadContextas an object that is part of the request.
Is what is set in the ThreadContext.bind(SecurityManager sm), just a reference to the one SecurityManagercreated at the start of the application? or is it itself a new instance?
A SecurityManager is an object that allows you to authenticate, authorize, and manage the session from a single point. It is an interface and has different implementations (AuthenticatingSecurityManager, AuthorizingSecurityManager, CachingSecurityManager, DefaultSecurityManager, DefaultWebSecurityManager, RealmSecurityManager, SessionsSecurityManager) and it is only associated to a single Subject, each Subject can have a different SecurityManager... or not, it is up to you to decide. .
On the other hand, Shiro does not associate a Subject to the current Thread, this can be done automatically, manually or in another Thread. Each one has its way of being done, at http://shiro.apache.org/subject.html you can see more details about it.
What ThreadContext does is associate context information to a Thread, such as the SecurityManager to use among others, you can even add additional context information