shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel J. Lauk" <>
Subject Re: Instance level security w/ Permissions
Date Tue, 27 Jan 2009 06:22:15 GMT
> You can still do this of course so you don't have to duplicate UI code - it
> is just a trade-off.  More rather than less permissions mean a little extra
> processing time.  But, if you don't assign hundreds per user or role, then
> it won't really matter for most applications.  The performance 'hit' will be
> negligible for most applications, especially if you use 2nd-level caching to
> minimize or eliminate RDBMS round trips.

I have never looked at it that way. Of course execution time is a
tradeoff as well. D'oh.
Thanks for the pointer. I'll have to ponder on all that again.

> One thing that Peter (rightfully) tries to clarify as well is the difference
> between a permission assignment and a permission check.  Both situations use
> a permission instance, so that overlap sometimes confuses people.

Yes, that actually was clear from the beginning. Almost. Not upon
first reading but definitely within my first day trying to learn
JSecurity :-)
The actual problem I had was the way the plugin works. I did not
understand that the domain class "JsecPermission" in fact was not a
JSecurity Permission in the sense of org.jsecurity.authz.Permission.
Instead it's "just" the DB entry to create one.

Anyway, by now I improved on Grails and Groovy and I think I got it now :-)

> Notice how the permission being checked is similar to the permission that
> was originally assigned.  That is because Permissions don't work as a simple
> equality check, there is _implication_ logic that occurs: "user:edit"
> permission (assigned) 'implies' the "user:edit:1234" permission (checked).
> This does make permissions sometimes harder to understand, but once you get
> the concept of implication down, you can really harness their power.

Yes. I think that is really powerful.
In particular the WildcardPermission is ingenious! I think I won't
have to code any custom permission classes.
The tradeoff is type safety -- I still don't know if that term
references data types or typing ;-) -- but with Groovy I just gave up
on types and stick to testing ;-)


View raw message