Hi All, We currently use Spring security for authorization (ACL module in particular) but there are some new use cases which may make the continued use of Spring security infeasible. So I started looking for alternatives and in that process, have run into Apache Shiro. I read the documentation available on the Shiro site and I think I have some idea how it works. But there are some questions that I would like to get some clarification on and I would appreciate any help.
Here are some authorization requirements from our application: 1) Support granular privileges (mapping to operations such as "read" and "write"). Note that there are no resources at this point. These are just possible operations. 2) A role is a combination of privileges, again without reference to any resources. 3) Individual resources can be organized into resource groups where one resource can belong to multiple resource groups. 4) Finally, roles can be assigned to users (or groups) for a given resource or resource group. It seems to me that Shiro supports (1) and (2) but I am not clear about the rest. Also, is it true that the application needs to take care of all "write" operations as mentioned in one of the documents? Here is the relevant snippet: "Currently all Realm implementations support ‘read’ operations for acquiring authentication and authorization data to perform logins and access control. ‘Write’ operations, like creating user accounts, groups and roles, or associating users with roles groups and permissions, are not supported. This is because the data model to support these operations varies dramatically across applications and it would be difficult to enforce a ‘write’ API on all Shiro users. " Thanks in advance, Raghu
