If you're producing some sort of paginated listing, getting a certain
number of objects at a time from the database, then it's best to
incorporate the
permissions checks at the database query, to avoid loading up
potentially lots of data, most of which is then discarded after doing
a permissions filter in the JSP tags.
We find the JSP tags useful when we're configuring the UI to display
HTML elements for operations a user is authorized for, given that they
at least have some sort of read permission on the object. For example,
we wrap an 'Edit' button with a JSP to test 'edit' permission.
If you have a list of instance-based permission like 'Document:edit:
12, Document:edit:13' , where the numbers are Ids, then you can parse
out the ids and add an 'in (12, 13)' clause to your database query.
WE also use property based permissions such as ''Document:edit:owner=$
{self} which cuts down on the number of specific permission strings we
need to keep, and prevents us having to update the permission strings
every time a new document is created/ removed. In the database, each
document has an 'owner' property and we use the convention that
permission property names must map to persistent object property names.
In the end, I think it's a trade off, where you need to think about
how often permissions are changing, how frequently objects are created/
altered/removed, and how many objects you need to authorise. For some
situations ACLs might be better, but not all the time.
For example, imagine you have 1000 000 objects represented in 1000 000
rows in a database table, using ACLs that specify which users can
view the record. If users come and go, and are frequently added/
removed from the system, then you need to update the ACLs every time.
If you don't use ACLs, you don't need to do this.
On the other hand, if, for a given user, you're trying to work out
which objects they are authorised to see, then adding a 'where' clause
to examine whether your ACL contains the user's id is very
straightforward.
As I said I certainly don't claim any special expertise in this, I was
in the same situation as you about a year ago.
Richard
On 2 Aug 2013, at 14:26, Stuart Broad wrote:
Hi Ahmed,
I am at the start of my journey using Shiro and do not yet have any
production code using it. I am planning on passing back the
permissions to the browser so that the browser can also check them
(This would probably be easier using the jsp tags but we are not).
Regards,
Stuart
On Fri, Aug 2, 2013 at 1:47 PM, akhan <[email protected]> wrote:
Hi Richard/Stuart,
Since I have been looking at something similar but with support for
groups
(in addition to users and roles) and came up with a database model
to store
all the authorization information Database Model Question
<http://stackoverflow.com/questions/17914671/database-model-for-authorization
>
. Now I am looking at developing a custom implementation of Shiro
PermissionResolver to fit with my model.
I however, haven't had much progress on how to go about it the best
approach
of introducing groups. Also a question for you both is do you also
use Shiro
for filtering/authorizing the data accessible to users for VIEWING
i.e. if
there is a HTML drop down listing all the items the current user has
access
to - do you use parameterized SQL query of your Shiro permissions to
filter
out the items that should be in the drop down list.
Cheers
Ahmed
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Best-Permission-Structure-e-g-User-departments-tp7578991p7578999.html
Sent from the Shiro User mailing list archive at Nabble.com.
Richard Adams
[email protected]
