Shiro has a caching mechanism built-in so that when the user is logged in, all build up credentials are stored in a cache and retrieved there every subsequent call as long as the user hasn't logged out.
If you check out the source for AuthorizingRealm.getAuthorizationInfo, you can see that it retrieves the AuthorizationInfo from the cache, when caching was configured.
Check out the documentation on caching here: https://shiro.apache.org/caching.html
The quick solution is to configure a simple memory cache:
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
This should result in only one database action per user session for retrieving the credentials.