Hi,
We are currently evaluation Apache Shiro for use in a Vaadin webapp.
We are looking for a solution to have permissions based on expressions
that would be evaluated in the context of the current resource.
Something like:
"entity:admin:$(entity.size < 50)"
The idea is to extend DomainPermissions and use these expressions as
targets so we can use Hibernate for CRUD.
Now, since we will be using Hibernate we were thinking of having these
expressions as query criteria (HQL).
This would allow us to create several wildcard permissions based on the
expressions using a simple query.
These permissions would then be cached for performance.
Another advantage is that we then could use these for filtering
collections. It would simply consist of going through the permission
expressions and joining them using and AND operator.
For instance:
"entity:admin:100"
"entity:admin:$(entity.size < 50)"
"entity:admin:$(entity.status = 'validated')"
would result in :
from Entity as entity where (entity.id= 100) AND (entity.size < 50) AND
(entity.status= 'validated')
Or we could support more complex expressions like
"entity:admin:$(entity.size < 50 OR entity.status='validated')"
We also thought about generating simple wildcard expressions using some
sort of DSL but this would require recalculating these everytime the
domain object was changed and would not allow us to filter collection
(at least at the hql level - we could filter the resulting collection at
runtime like Spring does but it's not feasible for big collections).
I'd like to get some opinions regarding this approach and/or other
suggestions.
Thanks in advance.
Nelson Silva
