Hello, We're implementing instance-based permissions in our application, which in essence is a type of document management system, and had some queries/remarks on our experiences with Shiro so far, in case these are common issues that would benefit from further discussion.
In particular, we have 2 situations in which we need to check instance-based permissions; the first is straightforward, the second we're finding a little tricky to work out which is the best way to proceed. 1) A user requests a document from the database, and the application needs to figure out what the user can do with that document, e.g., read/edit/delete etc. This seems a good fit with Shiro permissions; we write an adapter class which adapts our entity object ( the document) to the Shiro permissions interface, so that a call to subject.implies(Permission) tests the user's permissions against the document's properties (e.g., it's owner, group, etc). In general the assumption is that at least the user will be able to view the document, so we have to load up the document from the DB anyway; and testing permissions does not involve additional database hits ( assuming the subject's permissions are already loaded and cached). 2) A user is requesting a listing of some collection of resources. There are very many resources in the database table , and the user will have authorized access to only a small fraction of the resources (but neverthess this still could be in the hundreds-thousands range; so loading all the resources, adapting them to the permissions interface, testing permissions, and discarding those not matching, is very wasteful. Ideally we'd add in some sort of WHERE clause in the DB query to take account of permissions, but since we're using the Shiro wildcard system( actually slightly modified, but essentially the same mode of operation), this needs Java code to parse the permission strings etc., so we need to load up information about the entity whose permission is being tested anyway. We could perhaps work round the wildcard system by explicitly enumerating the document IDs that users can access, but since documents are being created and deleted frequently, this would require a lot of update operations, and long lists of IDs (e.g., RECORD:READ:1,19,23.....1000) would be a really long string to parse and update very frequently. What is the best way round this? Is there a best way round this? Would appreciate any advice. Also if what I've written isn't clear, then please let me know as well, so I can clarify. Thanks Richard Adams -- View this message in context: http://shiro-user.582556.n2.nabble.com/instance-based-permissions-tp7578159.html Sent from the Shiro User mailing list archive at Nabble.com.
