Thanks for the responses! I'm going to implement the caching approach with stock WildcardPermissions, ie. building the permissions on login. I'm going to store permission templates in db and code a bit of logic to convert them to instance-specific permissions. This way I can rely on Shiro when doing the (more critical) actual permission matching.
I think the proper Google search terms would be something like " implementing row-level security in application layer with Shiro " :) -- View this message in context: http://shiro-user.582556.n2.nabble.com/Best-Permission-Structure-e-g-User-departments-tp7578991p7579073.html Sent from the Shiro User mailing list archive at Nabble.com.
