Good ACL implementation in Java

Question

Hi All.

I'm implementing a web based document management system and I'd like to implement ACLs in my system. My formal requirements are hierarchal permissions (documents inherit permissions from their folders) user groups (users can dynamically create groups and associate users with groups). Such groups can have permissions on objects in the system.

My code will query permission on objects in two cases: 1. Manipulating a single document 2. Listing all documents where a manipulation is possible

The latter requirement seems the achilles heel for Spring Security ACLs (their method seems likely to incur multiple DB hits for each document I manage)

Anyone know of another ACL implementation?

Thanks!

Answer 1

I'm not familiar with Spring Security's ACLs, but I believe that typical ACL's do you require you to hit each node to discover whether a given principal has permissions on that node. I don't know if you are going to find a way around that problem without making a canRead() or canAccess() call (or something similar) each time on each the nodes you are presenting.

As an aside: Have you evaluated using something that's JSR-170 compliant (Java Content Repository or 'JCR') instead of rolling your own full document management system implementation? Potentially, you could use the things in JCR for the backend and simply write a web interface on top of it. Jackrabbit has a default ACL implementation that should suffice.