为匿名用户动态添加委托人/权限
我正在使用 spring security 2.x (+spring + struts2),并且希望在用户提交表单后动态向用户添加权限。
我有一个受保护的目录(/protected/dir/),该目录受 ROLE_USER 保护,
<sec:intercept-url pattern="/protected/dir/**" access="ROLE_USER, ROLE_ADMIN" />
用户登录后可以访问该目录。
我想通过向主体添加临时 ROLE_TEMP 来使提交表单(无需登录)的用户可以访问此内容(该主体可能甚至不存在,因为用户尚未登录,所以我可能也必须将其添加到securityContext)
我尝试访问 SecurityContext 并在我的控制器/操作类中添加新的主体。但我无法获取 SecurityContext。 (我认为 SecurityContext 只在它自己的线程上运行,你不能传递它,这就是我得到 NPE 的原因)
那么最好的方法是什么?
请指教 谢谢
I am using spring security 2.x (+spring + struts2) and would like to enable add authority to user dynamically after user submits a form.
I have a protected directory (/protected/dir/) which is protected by ROLE_USER
<sec:intercept-url pattern="/protected/dir/**" access="ROLE_USER, ROLE_ADMIN" />
Which user can access after they login.
I want to make this accessible to the user who submitted the form (without logging in) by adding a temporary ROLE_TEMP to the principal (which may not even exist, since user hasn't been login, so I may have to add that too to the securityContext)
I have tried to access SecurityContext and add new Principal in my controller/action class. but I am unable to get SecurityContext. (I think SecurityContext only run on its own thread and you cannot pass it around, that's why I got NPE)
So what is the best way of doing this?
Please advise
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
支持匿名用户的一种方法是添加此过滤器:
过滤器具有此属性,将强制过滤器在请求完成后删除匿名会话:
One way to support anonymous users is to add this filter:
The filter has this attribute that will force the filter to remove the anonymous session after the request is complete: