Our application has the next architecture: We have a big amount of users and services. Each user may has the next authorities for each service: view, edit, delete ... (custom).
The task is to do it with Acegi (Spring Security) and with a big amount of users not to have application failure - because if for each logged in user application will store all authorities for all services and will store it in memory - it is not good idea.
I have read the Acegi Reference to understand how to implement when the concrete user accesses the concrete service to check in database granted authorities (view, edit, delete ....).
After investigation Chapter 21. Secure Object Implementations approach I understood that this approach is role-based, but in my cases it is not possible to have roles.
Also I have looked at Chapter 22. Domain Object Security (ACL) but there we may find the next:
Instead, security decisions need to comprise both who (Authentication), where (MethodInvocation) and what (SomeDomainObject). In other words, authorization decisions also need to consider the actual domain object instance subject of a method invocation.
So as I understand we have ACL approach in order to distinguish objects access of the same class for different users - but I have different objects of different classes - i.e. services, so, as I understand, I cannot use this approach.
They write that I may hook interceptor to my object. As I understand I may hook interceptor for each my service and check permissions (view, edit, delete ...) in database each time during invocations - will it be right or what approach should I use?
Or may be I should consider to use other framework?