Reputation: 684
Performance of Spring Security's ACL
I am currently in the process of testing out Spring Security's Access Control List and after reading the key concepts, something caught my attention: there is a table (ACL_ENTRY) that stores the individual permission for every single instance of domain object for every principal (assuming that principal has access to that instance). On a large system with lots of users and lots of domain objects, we can easily imagine that there will be lots of records in that table, which will likely be queried very often (when an instance of a domain object is loaded, created, updated, etc.).
Now with this in mind, I wonder how the performances could be affected. Does anybody have experience on this? Any feedback?
Upvotes: 6
Views: 2567
Answers (2)
Reputation: 117
You might want to check out how Apache Shiro handles permissions - Shiro has a lot of scaled implementations
Upvotes: 1
Reputation: 11184
I actually just finished implementing a similar feature on a near real time application. If you cache your ACL entries and the results of the query that retrieves them (say only query them once an hour) It will improve dramatically. The bottle neck here would be how you retrieve the permissions not the actual authorization logic. Though the authorization logic will have an impact ofcourse but if you deal with in memory objects it should be acceptable even for real time applications.
Upvotes: 2
Related Questions
- Java Spring Security @PostFilter performance
- Spring security Access Control List Billions of rows
- Spring Security Acl object
- Any performance differences in Spring Security ignoring() versus permitAll()?
- Spring Security ACLs on List
- spring security acl administration permission
- Using Spring Security ACL
- Spring ACL questions
- spring-security: how much customization is wise?
- Spring role-based authorization VS ACL?