Spring-security 拆分身份验证和授权
我正在尝试使用 spring-security 为我的 Flex Web 应用程序创建自定义登录。 我有一个工作版本,我们使用带有 blazeds 的channelset.login。
我遇到的问题是我想分开身份验证和授权。
我想请用户在身份验证后做出一些选择来确定其角色。
由于用户被授权的角色是由该选择决定的。
这意味着必须对用户进行身份验证,然后客户端需要对服务进行服务调用,然后需要进行授权过程。
有谁知道这是否可行,并有一些如何做到这一点的提示?
预先感谢,
阿尔杰
I'm trying to create a custom login for my flex web app with spring-security.
I have an working version where we use the channelset.login with blazeds.
The problem i have is that i would like to split the authentication and the authorization.
I would like to ask the user to make some choices after the authentication to determine its roles.
Since the roles the user is authorized to are determined by this choices.
This means the user has to be authenticated and then the client needs to do a service call to the service and then the authorization process needs to take place.
Does anyone know if this is possible and have some tips of how this can be done?
Thanks in advance,
Arjen
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,这听起来并不太牵强。
您可以将用户角色存储在数据库中,使新用户的每个角色类似于“SIGNUP”,它只允许用户注册,一旦确定了他的新角色,只需更新该角色并限制新角色能够更新再次角色,除非您是管理员。
您还可以覆盖身份验证过程来执行您想做的任何操作: http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting- your-own-custom-j-spring-security-check-filter-processes-url.html
如果您使用某种形式的 ORM,则可能需要刷新会话对象。
Yes, that doesn't sound too far-fetched.
You can store the user roles in the database, make each role for new users something like SIGNUP which will only allow the user to signup, once his new role is determined, simply update that role and restrict the new role from being able to update the role again, unless you're admin.
You can also override the authentication process to do whatever you want to do: http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html
The session object might need to be refreshed if you're using some form of ORM.