If Shiro is configured for both authentication and authorization (as recommended), then this class is in the role of Authenticator .

However, although there are two objects, they are set up to share the same SecurityManager Shiro SecurityManager (bound to a thread-local).

class AuthenticatorShiro {
  AuthenticatorShiro(IsisConfiguration configuration)
  boolean canAuthenticate(final Class<? extends AuthenticationRequest> authenticationRequestClass)
  InteractionContext authenticate(final AuthenticationRequest request, final String code)
  void logout(final InteractionContext context)
  InteractionContext authenticationFor(AuthenticationRequest request, String validationCode, AuthenticationToken token, Subject currentSubject)