Sounds like a great idea. And while I am pretty sure you are planning to implement this and only forgot to mention it, I think we would need '$role' in addition to '$user'.
Concerning 'and Integer getClearanceLevel()' I would suggest a slightly more versatile approach where getClearanceLevel() returns an Object instead of an Integer. Then, each developer team could implement a sort of 'validator interface' which takes care of validating the returned Object to the predicate specified by @RequiresAttributes. That way, your team could have your software check whether a user has a certain clearance level >= Integer, and my team could check whether a role may access a certain document in our MongoDB database == ObjectId (http://api.mongodb.com/java/current/org/bson/types/ObjectId.html). Shiro.ini might then read something like this: ... userValidator = your.package.name.YourClassName roleValidator = your.package.name.YourOtherClassName ... -- View this message in context: http://shiro-user.582556.n2.nabble.com/Attribute-based-access-control-tp7581093p7581095.html Sent from the Shiro User mailing list archive at Nabble.com.
