Hi,
Sorry for my insistence, but I think that ACL on collections has a
serious perfomance problem.
I think that one solution are to execute a diferent procediment. My
idea are, obtain all ACLs first (because for that I only have to do 2
querys ) and then with result excludes objects from collection that
don't have permission.
The ideia is simple, but implementation could not be so simple. So I
need your help, or simple what you think about it ?
I see acegisecurity code, and do a simple analysis what will be
change for that.
I think will change:
table:
acl_object_identity ( separate column object_identity in two,
object_class and object_id )
so we could query only for classname.
Code:
JDBCImpl.java
AclProvider.java
AclProviderManager.java
AclManager.java
BasicAclProvider.java
Thanks,
Paulo
On 7/12/05, Paulo Neves <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I'm testing again ACL, and I have another sugestion for perfomance.
>
> When we do AfterInvocationCollectionFiltering, they process a
> collection and for every object on that colecttion they do 2 querys (
> one for object properties and another for obtain acl entry ).
> If we have 30 objects, ACL do 60 querys on database, if we have 1000
> they do 2000 and so on.
>
> I think that we can't use the same process for collections and single object.
>
> My sugestion are, why we simple don't create a
> getAclCollection(filterer, authentication), that return a map that
> key could be a string with "<domainobject>:<id>" and value AclEntry[]
>
> and change BasicAclEntryAfterInvocationCollectionFilteringProvider to
>
> // Locate unauthorised Collection elements
> Iterator collectionIter = filterer.iterator();
>
> >> Map aclTable = aclManager.getAclCollection(filterer,
> authentication);
>
> while (collectionIter.hasNext()) {
> Object domainObject = collectionIter.next();
>
> boolean hasPermission = false;
>
> AclEntry[] acls = null;
>
> if (domainObject == null) {
> hasPermission = true;
> } else {
> // construct key
> String aclObjectIdentityString =
> neoi.getClassname() + ":"
> + neoi.getId();
> acls = aclTable.get(aclObjectIdentityString );
> }
>
>
> My question / problem are,
> 1) For do that is better obtain all ACLs from one class.
> Like :
> SELECT CHILD.ID, CHILD.OBJECT_IDENTITY, CHILD.ACL_CLASS,
> PARENT.OBJECT_IDENTITY as PARENT_OBJECT_IDENTITY
> FROM acl_object_identity as CHILD
> LEFT OUTER JOIN acl_object_identity as PARENT ON
> CHILD.parent_object=PARENT.id
> WHERE CHILD.object_identity like 'org.eteamcs.model.Contact%'
>
> and
>
> SELECT RECIPIENT, MASK, aoi.OBJECT_IDENTITY
> FROM acl_permission as ap
> LEFT OUTER JOIN acl_object_identity as aoi on (aoi.id=ap.acl_object_identity
> )
> where aoi.OBJECT_IDENTITY like 'org.eteamcs.model.Contact%'
> order by object_identity
>
>
> where org.eteamcs.model.Contact is my classname
>
> 2) or, obtain only ACLs from objects in collection but too dificult to
> construct query that obtain ACLs
>
>
> What you think about my ideia, what are your orientations ??
>
>
> Thnaks, Paulo
>
-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
