Paulo Neves wrote:
Hi,
Sorry for my insistence, but I think that ACL on collections has a
serious perfomance problem.
I think that one solution are to execute a diferent procediment. My
idea are, obtain all ACLs first (because for that I only have to do 2
querys ) and then with result excludes objects from collection that
don't have permission.
The ideia is simple, but implementation could not be so simple. So I
need your help, or simple what you think about it ?
Hi Paulo
You are correct in that the base implementation of JdbcDaoImpl and
JdbcExtendedDaoImpl will perform two separate queries in order to honor
the interface contract specified by BasicAclDao:
public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity);
As you can see from the contract, an implementation of BasicAclDao is
passed the AclObjectIdentity, which is often a NamedEntityObjectIdentity
that simply returns a fully qualified class name + ":" + an identifier.
Thus, if you have a more optimal way of querying your database, or a
more optimal schema, you are quite free to implement your own
BasicAclDao implementation and go from there.
There are two other factors to remember in relation to this discussion:
1. Returning large Collections and expecting ACL filtering to take place
on them is not the recommended pattern of use. If you return 1,000
elements, that's just too many to reasonably expect to filter without a
material overhead. My own approach to this matter is to return a
paginated list, containing at most 100 elements per page. Most of the
time the page size matches a sensible UI use case, such as 20 or 30
elements. There was discussion in the past on this list about how to
ensure 20 or 30 elements are actually returned if the ACL filtering
removes some. If you do go down this path and are concerned about always
ensuring the requested page size is returned, please search the mailing
list archives for the different strategies that were proposed.
2. The caching provided by BasicAclEntryCache implementations will
negate the need to repeatedly query the database for the same
AclObjectIdentity. Thus, even if you are returning 1,000 elements in a
Collection, at least the performance hit will be mitigated in part by
this caching.
For the above reasons I don't believe the ACL architecture has a serious
performance limitation, but would certainly welcome any improvements,
metrics or suggestions you can offer. We need to remember that
domain-specific ACL information is always going to cause a persistence
overhead, and developers therefore need to be mindful of this when
design their applications (like limiting Collection sizes, using an ACL
schema and querying strategy advised by your DBA etc).
Cheers
Ben
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
