On Mon, Oct 27, 2008 at 9:08 PM, iapilgrim <[EMAIL PROTECTED]> wrote:
> > Hi Doug, > I am about to add PERMISSIONs/RIGHTs to my app. I intent to use Spring > Security. I don't know how to use it right now. I have some questions > + What are the reasons that make you not use Spring Security but implement > one for your own? > + I don't understand your solution but it seems to be restricted by the > limit set of actual ACLs. My app is very big, so which strategy to > implement > an PERMISSIONs/RIGHTs > My security module is complex. It is used for CMS application. > Regards, > Van > > Van, ??? we _did_ use Spring Security, though it was called ACEGI at the time. We chose not use the JCR AccessManager for the very reason vlad questioned -- we needed to derive the ACL for a repository object from the properties of the object and AccessManager, in and of itself, did not provide a means (i.e., session) to retrieve the repository object. Though we could have injected a session into the AccessManager for this, querying twice the for same object "smells" a bit, even if Jackrabbit's caching mitigates most performance issues. Yes, the app I'm speaking of had a small set of ACLs (tens), and a relatively small set objects (tens of thousands), and using AOP for object authorization had other advantages for the project, so I'm not suggesting it is THE answer, only an alternative. Regard, Doug
