ModularRealmAuthorizer isPermitted implementation with multiple permissions to check

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ModularRealmAuthorizer isPermitted implementation with multiple permissions to check

Modanese, Riccardo
Hi all,

    I have a question about the ModularRealmAuthorizer implementation (Shiro version 1.3.2).
There are 2 methods to check multiple permissions:
   public boolean[] isPermitted(PrincipalCollection principals, String... permissions)
   public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions)

Both of these implementations does a loop to call the isPermitted method with a single permission.
So the AuthorizingRealm method doGetAuthorizationInfo is called at each iteration. (we aren’t using cache)

Since the AuthorizingRealm has a specific implementation for the isPermitted method with multiple permissions we tried to use it customizing the ModularRealmAuthorizer.
In Kapua project we wrote a custom ModularRealmAuthorizer implementation (see [1]) to reduce the doGetAuthorizationInfo calls count (with the "at least one realm” as result aggregation strategy).

In the ModularRealmAuthorizer did you implement the isPermitted method with the for loop to use the realm aggregation strategy configuration for the realms results?
If not, is it possible to change the implementation to make it more performant (avoiding multiple doGetAuthorizationInfo)?

Thank you

Riccardo

[1] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/security/EnhModularRealmAuthorizer.java#L47
Reply | Threaded
Open this post in threaded view
|

Re: ModularRealmAuthorizer isPermitted implementation with multiple permissions to check

Claus Ibsen-2
Hi

I think you are posting in the wrong user mailing list. This is for
Apache Camel (an integration library).

On Fri, Mar 27, 2020 at 5:15 PM Modanese, Riccardo
<[hidden email]> wrote:

>
> Hi all,
>
>     I have a question about the ModularRealmAuthorizer implementation (Shiro version 1.3.2).
> There are 2 methods to check multiple permissions:
>    public boolean[] isPermitted(PrincipalCollection principals, String... permissions)
>    public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions)
>
> Both of these implementations does a loop to call the isPermitted method with a single permission.
> So the AuthorizingRealm method doGetAuthorizationInfo is called at each iteration. (we aren’t using cache)
>
> Since the AuthorizingRealm has a specific implementation for the isPermitted method with multiple permissions we tried to use it customizing the ModularRealmAuthorizer.
> In Kapua project we wrote a custom ModularRealmAuthorizer implementation (see [1]) to reduce the doGetAuthorizationInfo calls count (with the "at least one realm” as result aggregation strategy).
>
> In the ModularRealmAuthorizer did you implement the isPermitted method with the for loop to use the realm aggregation strategy configuration for the realms results?
> If not, is it possible to change the implementation to make it more performant (avoiding multiple doGetAuthorizationInfo)?
>
> Thank you
>
> Riccardo
>
> [1] https://github.com/eclipse/kapua/blob/develop/broker-core/src/main/java/org/eclipse/kapua/broker/core/security/EnhModularRealmAuthorizer.java#L47



--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2