> On Jan 6, 2016, at 9:24 AM, Jan Sindberg <[email protected]> wrote: > >> >> There is one thing you can do now, call the accessmgr.sessionpermissions >> api, and store that result set in a map locally. That is a typical use case >> for >> web apps where each page loading requires multiple permission checks. >> >> Shawn > > Thanks. We will do that for now. Down the road we might see users with 200 > permissions. We are still looking into this, but it looks like each creation > of a session will call the LDAP once for each permission? That means a delay > of 6 seconds for each page load if I am correct. I think we will need local > caching which can be invalidated by an event or at least through a > jmx-console which I think EHCache already supports, and also the fortress > cache-api has methods for invalidating cache so that we could implement our > own event handling.
Calling createSession does one ldap search (user object) and one bind - only. Calling sessionPermissions does one search, pulling back all permissions for a given user’s session (i.e. pulls back all permissions that are granted to their activated roles). Calling checkAccess does one permission search (read) pulling back the single permission. If you have openldap audit enabled, it will do a compare after the perm read (to push a record into slapo access log). Shawn
