Within AuthorizingRealm: isPermitted obtains the permissions from an AuthorizationInfo object and evaluates whether the permissions assigned to a subject implies the permission(s) passed as arguments to isPermitted. For each request, isPermitted evaluates every single permission that a user is a member of. So if isPermitted receives as an argument an array containing 3 permission objects, and if the user is assigned to 100 permissions, then implication tests are run 300 times to answer the request.
consider the parts of a permission: domain:action:instance If one were to store a user's permissions in a hash, where the key is the domain, you can query only for related domains. Store the related permissions into a set. Let's use a message forum's comment section as an example. A User can read or create comment objects and only delete those the user owns (3 in this case). So, the user owns 2 Permissions within the comment domain: comment:read,create:* comment:delete:comment123,comment124,comment125 let's store these two Permissions into a set, assigned to the 'comment' key in a Permissions hash map Now imagine that this user has 98 other permissions irrelevant to managing comments Using my recommended solution: If the user initiates a delete on comment126, AuthorizingRealm will request the set of permissions corresponding to the 'comment' domain and then traverse through the set, running implies against each permission. Two permissions are evaluated. Using the existing solution: 100 permissions are evaluated I provided a simple example. Can anyone draw an example where a hashmap, keyed by domain, would not work? -DG-
