I am sorry, but why do you have that service class which is just re-implementing all the SecurityUtils and Subject methods???
Typically in your web tier you only have two or three lines needed to getSubject from SecurityUtils and a call to Subject login() if subject.isAuthenticated returns false. And now you are authenticated for their session. So no need to call those methods ever again for that user. Then you set methods or URLs to Roles or Permission either with annotations or other configuration. So to me that service class would be rarely if ever used. Also, (which I am basing this on Spring Security) why is a Domain object annotated with those annotations, typically those annotations would show up on URLs mapping or in a Use Case class. So that domain object you have annotations with would never be looked at, it would be the service method that edits the domain object that would have the annotations. So since they don't have them in your code, then anyone will be able to call the service edit method on any domain object. Just my 2 cents. It is ok to tell me to shut up, I won't mind. Thanks and good luck Mark -- View this message in context: http://shiro-user.582556.n2.nabble.com/adding-roles-and-adding-permissions-tp7578488p7578502.html Sent from the Shiro User mailing list archive at Nabble.com.
