Hello Shay, > hmmm... i might be missing something again , but : > > the framework already defines an exiting object model which includes > principals , roles , groups , permissions , tokens , etc ...
No. Sorry, if I'm picky, but it defines interfaces and a reference implementation. > the aspects for querying them are well defined , how does defining aspects > for creating , updating and deleting them , limits implementation? IMHO -- and I am no JSecurity developer, just a user so don't mistake this for an official statement -- it does not "limit" the implementation but rather it's an unnecessary burden. The way I see it, the framework secures access to stuff. To achieve this you actually only need to answer two questions: Is the subject the one it pretends to be? Is the subject allowed to perform a certain task? To give an answer to these questions, JSecurity only needs a possibility to read from some data storage. > i am also going to make a very bold statement , and say that any application > that requires row-level or method level access control , will have core > requirements that include roles , groups , permissions, etc..., and CRUD > operations for all of them. This would be very convenient if you think in single-application terms, indeed. If you think in terms of corporate environments you might find it inconvenient if you suddenly needed to implement write access to the central LDAP servers that the IT guys will not let you write to. > i am not sure that one size fits all is the best option. That's right. Therefore JSecurity sticks to what it needs to do its job, I guess. > Take my case for example I'm writing a new app from scratch; no legacy , no > limitations , i just don't want to write again the same code that i wrote > numerous times before for other companies , which ends up looking identical. Well, as stated in the previous mail, you can of course add that code to your implementations. But of course you'll have to write it yourself. After all only you know how you'd want to store that stuff. > please don't take my comments as any kind of criticisms with regards to > JSecurity , it is a great library, and much better then anything out there , > including Acegi; I'm just trying to encourage discussion and maybe affect > the roadmap. I don't think anybody took offense. By the way, IIRC there are reference implementations for quite common realms (DB, LDAP, plain text). Those should get you started. Kind regards, DJ
