You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Pillar <so...@hotmail.com> on 2013/08/02 20:52:52 UTC

Dynamic security model permission check implementation

I have a security model that depends on Permissions coming from many dynamic
elements: created/deleted objects, statutes, time of day, other users'
activity, etc. In other words, I can't cache an AuthorizationInfo object and
the AuthorizationInfo object takes data from many places (ie. many DB
calls). On top of that, my uses cases usually only require a check for a
single permission (ex: only the time of day, not all the rest), so it makes
sense to only check that instead of comparing to all the permissions
available. 

Would it be a bad idea to implement a (or many) subclass of Permission that
does its own check in the DB?

public class StatusPermission implements Permission {
    private Status status; // + setter and getter
    public boolean check(PrincipalCollection collection, Connection
connection /* DB */) {
        /*
         * some PreparedStatement that checks the principal's (my user)
status and compares it to the instance field 
         */
    }

    public boolean implies (Permission perm) {
        /* doesn't matter */
    }
}

Is this acceptable or will it fail in some Shiro execution path? Are there
better patterns for what I want to do?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Dynamic-security-model-permission-check-implementation-tp7579004.html
Sent from the Shiro User mailing list archive at Nabble.com.