Good ACL implementation in Java
I am implementing a web-based document management system and I would like to implement an ACL on my system. My formal requirements are hierarchical permissions (documents inherit permissions from their folders) of user groups (users can dynamically create groups and associate users with groups). Such groups may have permissions to objects on the system.
My code will request permissions on objects in two cases: 1. Manipulation of one document 2. Listing of all documents in which manipulation is possible.
The latter requirement seems to be an Achilles' heel for Spring Security ACLs (their method will probably take multiple DB hits for every document I manage)
Does anyone know of a different ACL implementation?
Thanks!
a source to share
I'm not familiar with Spring ACLs, but I believe that a typical ACL requires you to hit each node to see if a given director has rights to that node. I don't know if you are going to find a way around this problem without making a call to canRead () or canAccess () (or something similar) every time on every node you present.
As an aside: Have you appreciated using something that is JSR-170 compliant (Java Content Repository or "JCR") instead of implementing your full document management system implementation? Potentially, you can use things in JCR for the backend and just write a web interface on top of it. Jackrabbit has a default ACL implementation which should suffice.
a source to share