Permissions exist to solve this problem. Think of roles as a named collection of permissions - you can create and delete roles at any time because your security policy is based around permission checks, not role checks.
Permissions exist to support fine-grained security models - roles are usually too coarse-grained to handle dynamic policies. So, if you need a dynamic security model that can change at runtime, create your system around the premise of permission checks: each check is statically defined and reflects raw functionality that only changes when your code/logic changes. You can assign permissions to roles or groups at runtime as you see fit. The WildcardPermission JavaDoc does a good job of explaining how permissions can be used for ultra-fine-grained control. Does this help/make sense? Les 2010/3/4 Altuğ Bilgin Altıntaş <[email protected]>: > Hi, > Fernando is right. > There is no concrete example or documentation about this concept (dynamic > roles). Am i right ? > Thanks. > 2010/3/4 Fernando Wermus <[email protected]> >> >> Hi all, >> I am looking for using shiro with dynamic roles in site (wicket one). >> I would like to know if there is some example about this. >> Also, I will explain what I understand for "dynamic roles" to avoid any >> misunderstanding. For instance, a user has a role ADMIN on object A, but a >> role USER on object B. This can change passing the time. >> thanks in advance. >> -- >> Fernando Wermus. >> >> www.linkedin.com/in/fernandowermus > > > > -- > Altuğ. >
