It's been a while but I think you are correct about how Shiro works. I
would use a role to solve this. You can make a role like "maintainer" and
assign that role to anyone that can maintain objects. Then you can protect
any pages after the url /maintain
On Wednesday, April 19, 2017, Robin Garner
I've just about finished adding my first feature that uses object
permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8).
Users are given permissions to the objects they are allowed to
maintain, when they go to the new page, only the objects they have
permission to maintain ap