Return-Path: Delivered-To: apmail-incubator-jsecurity-user-archive@minotaur.apache.org Received: (qmail 43523 invoked from network); 27 Jan 2009 06:22:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 27 Jan 2009 06:22:42 -0000 Received: (qmail 17022 invoked by uid 500); 27 Jan 2009 06:22:42 -0000 Delivered-To: apmail-incubator-jsecurity-user-archive@incubator.apache.org Received: (qmail 17015 invoked by uid 500); 27 Jan 2009 06:22:42 -0000 Mailing-List: contact jsecurity-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jsecurity-user@incubator.apache.org Delivered-To: mailing list jsecurity-user@incubator.apache.org Received: (qmail 17006 invoked by uid 99); 27 Jan 2009 06:22:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Jan 2009 22:22:42 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of daniel.lauk@gmail.com designates 74.125.46.152 as permitted sender) Received: from [74.125.46.152] (HELO yw-out-1718.google.com) (74.125.46.152) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Jan 2009 06:22:36 +0000 Received: by yw-out-1718.google.com with SMTP id 5so2489540ywr.0 for ; Mon, 26 Jan 2009 22:22:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=vnZbHr0jPUql15ly0BvJlSwfbt7kEvIVedMWjB1X8DI=; b=u04IIIPBxZFey5fFc9H06VmQwAmu0Tas+MqJAPpnWxpsexWfMSJd8zfBHgNcElTD7O OXG1zHJ/FQP9XWVjikgQ9ubtJ6OVm/FXUx1E+5MUfOWDzRYkByHdHZvOZnkI6n2yiHSA PA0Q1B2FBVghVmET0GTveoIC98SKolA6swDLA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=B5/HtS+AhYm28vut/YaK8EtCchBpBUdz7B3PBypquHXqKNcN8ZUNwfEfWXMMFW+UTP jpBhqwAn/Ypp9nRAwzz/a5cZZaO9dbBdWMQ04J0h4YxUl9j6TG9BA8W6z/Iku3mDpKvz 3jsVgjeznsNVb/Ga27VT1NToiS9p2w78kFtjU= MIME-Version: 1.0 Received: by 10.100.227.6 with SMTP id z6mr662772ang.120.1233037335339; Mon, 26 Jan 2009 22:22:15 -0800 (PST) In-Reply-To: <44b57a610901261151u36379fa6n670fc7a10c408d2b@mail.gmail.com> References: <44b57a610901260722m5b210f54o4f497030e6af6d7c@mail.gmail.com> <44b57a610901260725g420f6e9an5c10d7d9ea34217d@mail.gmail.com> <44b57a610901260926i2a7b8b6do7387c6a88b12552b@mail.gmail.com> <44b57a610901261151u36379fa6n670fc7a10c408d2b@mail.gmail.com> Date: Tue, 27 Jan 2009 07:22:15 +0100 Message-ID: Subject: Re: Instance level security w/ Permissions From: "Daniel J. Lauk" To: jsecurity-user@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org > You can still do this of course so you don't have to duplicate UI code - it > is just a trade-off. More rather than less permissions mean a little extra > processing time. But, if you don't assign hundreds per user or role, then > it won't really matter for most applications. The performance 'hit' will be > negligible for most applications, especially if you use 2nd-level caching to > minimize or eliminate RDBMS round trips. I have never looked at it that way. Of course execution time is a tradeoff as well. D'oh. Thanks for the pointer. I'll have to ponder on all that again. > One thing that Peter (rightfully) tries to clarify as well is the difference > between a permission assignment and a permission check. Both situations use > a permission instance, so that overlap sometimes confuses people. Yes, that actually was clear from the beginning. Almost. Not upon first reading but definitely within my first day trying to learn JSecurity :-) The actual problem I had was the way the plugin works. I did not understand that the domain class "JsecPermission" in fact was not a JSecurity Permission in the sense of org.jsecurity.authz.Permission. Instead it's "just" the DB entry to create one. Anyway, by now I improved on Grails and Groovy and I think I got it now :-) > Notice how the permission being checked is similar to the permission that > was originally assigned. That is because Permissions don't work as a simple > equality check, there is _implication_ logic that occurs: "user:edit" > permission (assigned) 'implies' the "user:edit:1234" permission (checked). > > This does make permissions sometimes harder to understand, but once you get > the concept of implication down, you can really harness their power. Yes. I think that is really powerful. In particular the WildcardPermission is ingenious! I think I won't have to code any custom permission classes. The tradeoff is type safety -- I still don't know if that term references data types or typing ;-) -- but with Groovy I just gave up on types and stick to testing ;-) Cheers, DJ