在 Spring Security ACL 中授予权限
我在 grails 1.3.7 中使用 Spring Security ACL 插件,但我的问题可能比这更通用:我希望允许对对象具有 BasePermission.READ 访问权限的用户能够向其他用户授予相同的权限。如果 user1 具有对文档的读取权限,他应该能够与 user2 共享该文档,从而授予他对同一文档的读取权限。
首次创建文档时,user1 被授予读取权限,因此我在日志中看到以下内容:
DEBUG grails.app.service.org.grails.plugins.springsecurity.service.acl.AclUtilService Added permission BasePermission[...............................R=1] for Sid PrincipalSid[User user1] for com.fxpal.ara.Document with id 1
然后,我尝试在以 user1 身份验证时向 user2 授予读取权限,但出现此异常:
org.springframework.security.acls.model.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
所以我的问题是: 1. 是否需要 BasePermission.ADMINISTRATION 才能允许用户向其他用户授予权限? 2. 有没有其他方法可以在只有部分权限的情况下授予权限?该政策在哪里实施,是否可以替代?
更新:
嗯,我想我可以添加一个新的AclAuthorizationStrategy实现,它定义了public void securityCheck(Acl acl, int changeType)方法,但此方法不将请求的权限作为参数,从而破坏了我检查兼容权限的策略。接下来要做的事情是重新实现 AclImpl 以使用不同的逻辑。重复大部分相同的代码似乎是一种耻辱......
I am using the Spring Security ACL plugin in grails 1.3.7, but my question is probably more generic than that: I would like to allow users who have BasePermission.READ access to an object to be able to grant that same permission to other users. If user1 has read access to a document, he should be able to share that with user2, and thereby give him read access to the same document.
When the document is first created, user1 is granted read access, so I see this in the log:
DEBUG grails.app.service.org.grails.plugins.springsecurity.service.acl.AclUtilService Added permission BasePermission[...............................R=1] for Sid PrincipalSid[User user1] for com.fxpal.ara.Document with id 1
Then I try to grant the READ permission to user2 while authenticated as user1, I get this exception:
org.springframework.security.acls.model.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
So my questions are:
1. Is having BasePermission.ADMINISTRATION required to allow users to grant permissions to other users?
2. Is there some other way to grant permissions while having only partial permissions? Where is this policy implemented, and can it be replaced?
Update:
Well, I thought I could add a new implementation of AclAuthorizationStrategy which defines the method public void securityCheck(Acl acl, int changeType), but this method doesn't take the requested permission as a parameter, foiling my strategy of checking for compatible permissions. The next thing to do would be to re-implement AclImpl to use different logic. Seems like a shame to repeat most of the same code...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以通过创建“
ROLE_ADMINISTRATOR”来解决此问题,这里的“ROLE_ADMINISTRATOR”应该是登录用户对象作为权限一部分的角色。基本上具有此角色的任何人都可以管理权限。
You can fix this issue by either creating the
Here the
ROLE_ADMINISTRATORshould be the Role which the Logged in User object has as part of authorities. Basically Anyone with this Role can manage Permissions.