We are using Shiro for Authetication and Authorization in our Web Application. Now we are facing huge performance issues and looking for a solution. Possible solutions are not working with the current implementation of our autorization checks. Our application has two parts of users: internals (is allowed to read everything) and customers (is only allowed to read data that are related to the own customer). As the assignment of users to customers may change, we have permissions like 'product:read:restricted' instead of entity level permissions like 'product:read:1'. Our realm implemenation does an on-the-fly check of customer-matching when the user has a "resticted" - permission. Now we have about 5000 products in our database. In case a customers logs in, we are loading all 5000 products into memory and let shiro check the authorization. Most of the restricted users are only authorized for less than 10 products. Our goal now is to not load everything before checking the authorization (advantages: less objects in memory, and the possibility of paging etc for users that are authorized to see more). Putting our authorization checks in our query would work, so we would load less objects. But the disadvantage is, that the rules for authorization are in diffenrent places: Inside the DAO (query generation) and in our Realm-Implementation. Does anyone have an idea, how we might solve our problem (load less entities, check the authorization before having thousands of entities in memory), without duplicating our rules, or even using shiro for that? Many thanks for any ideas, Michelle
-- View this message in context: http://shiro-user.582556.n2.nabble.com/Authentication-with-huge-number-of-entites-tp7581305.html Sent from the Shiro User mailing list archive at Nabble.com.
