定义具有继承权限的用户角色
我目前正在研究 spring-security 框架 - 到目前为止很棒的东西,印象深刻。 但是,我还没有找到在哪里或如何定义权限的继承。
例如,我希望 ROLE_ADMIN 至少具有与 ROLE_USER 相同的权限。我为 spring 定义了三个 intercep-url:
<intercept-url pattern="/auth/login.do" access="permitAll"/>
<intercept-url pattern="/voting/*" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
当尝试访问从 /voting/ 嵌套的任何站点时,同时以 ROLE_ADMIN 用户身份登录,我被拒绝。我在这里错过了什么吗?我知道,我可以为 /voting/* 分支定义多个角色,但如果我想象在我的一个现实用例中可能有 10 个不同的用户角色,我可以想象 .xml 文件会变得非常混乱,真的快速地。
我可以在某处配置角色的继承吗?
干杯
编辑:
感谢伟大的社区和他们的意见,我想出了一个可行的解决方案 - 它可能是好的风格,也可能不是 - 它有效:D
我定义了一个枚举这反映了继承的 spring-sec 角色:
public enum UserRoles {
ROLE_USER(new String[]{"ROLE_USER"}),
ROLE_ADMIN(new String[]{"ROLE_USER", "ROLE_ADMIN"});
private final String[] roles;
private UserRoles(String[] roles) {
this.roles = roles;
}
public String[] getRoles() {
return roles;
}
}
然后我实现了自己的 UserDetailsService:
方法中
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { ... }
在向 UserDetail 添加授权权限的
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
for (String role : UserRoles.ROLE_ADMIN.getRoles()) {
authList.add(new GrantedAuthorityImpl(role));
}
UserDetails user = null;
try {
//user = new User(username, md5.hashPassword(username), true, true, true, true, authList);
} catch (NoSuchAlgorithmException ex) {
logger.error(ex.getMessage(), ex);
}
,我获取相应的枚举值并附加此枚举值定义的所有角色:我的域对象它是持久的,包含一个带有 UserRole 的 @Enumerated 字段 - 在真实环境中,该字段是从数据库加载的,并且从该枚举中选取相应的角色。
再次感谢您的投入 - 喜欢这个社区 ^^
I'm currently looking into the spring-security framework - great stuff so far, pretty impressed.
However, I haven't found out where or how to define a inheritance of permissions.
e.g. I want the ROLE_ADMIN to have at least the same rights as the ROLE_USER. I defined three intercep-urls for spring:
<intercept-url pattern="/auth/login.do" access="permitAll"/>
<intercept-url pattern="/voting/*" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
When trying to access any site nesting from /voting/, while being logged in as a ROLE_ADMIN user, I am being denied. Am I missing something here? I know, I could define several roles for the /voting/* branch, but if I imagine that I might have 10 different user roles in one of my real-life usecases, I can imagine the .xml file to get really messy, really fast.
Can I configure the inheritance of roles somewhere?
cheers
EDIT:
Thanks to the great community and their input, I came up with a working solution - it may be good style or not - it works :D
I defined an enum which reflects the inheriting spring-sec roles:
public enum UserRoles {
ROLE_USER(new String[]{"ROLE_USER"}),
ROLE_ADMIN(new String[]{"ROLE_USER", "ROLE_ADMIN"});
private final String[] roles;
private UserRoles(String[] roles) {
this.roles = roles;
}
public String[] getRoles() {
return roles;
}
}
I then implemented my own UserDetailsService:
Within the methode
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { ... }
where it comes to adding granted authorities to a UserDetail, I get the corresponding enum value and append all the roles defined by this enum value:
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
for (String role : UserRoles.ROLE_ADMIN.getRoles()) {
authList.add(new GrantedAuthorityImpl(role));
}
UserDetails user = null;
try {
//user = new User(username, md5.hashPassword(username), true, true, true, true, authList);
} catch (NoSuchAlgorithmException ex) {
logger.error(ex.getMessage(), ex);
}
My domain object which is persisted, contains a @Enumerated field with a UserRole - in a real environment, this field is loaded from the DB and the corresponding Roles are picked from that enum.
thanks again for the input - love this community ^^
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
查看 角色层次结构 和 RoleHierarchyImpl< /a> 和这个 问题。
Check out RoleHierarchy and RoleHierarchyImpl and this question.
据我所知,Spring Security不支持角色和权限的概念。在Spring安全中只有角色有时被称为权限——而且:在Spring安全中角色/权限在角色和权限系统中被称为权限。
因此,如果您想构建一个角色和权限系统,那么您需要通过构建自己的 Spring Security AuthenticationManager 来完成此任务,并执行 Spring Security 角色/权限(如权限)。
@查看此博客: Spring Security 定制(第 1 部分 – 定制 UserDetails 或扩展 GrantedAuthority)——它是为 Spring Security 2.0 编写的,展示了如何实现我正在讨论的内容。还有一点就是RoleHierarchy有一些缺点,但是这篇文章是关于2.0的,可能缺点在3.0中就消失了
As far as I know, Spring Security does not support the concept of Roles and Privileges. In Spring security are only Roles sometimes called Authority -- Moreover: In Spring Security are Roles/Authorities that what in a Roles and Privileges System is called Privileges.
So if you want to build a System of Roles and Privileges, then you need to do it by your one by building your own Spring Security AuthenticationManager, and tread the Spring Security Roles/Authorities like Privileges.
@See This Blog: Spring Security customization (Part 1 – Customizing UserDetails or extending GrantedAuthority) -- It is written for Spring Security 2.0 and shows how to implement what I am talking about. It also stayes that RoleHierarchy has some drawbacks, but this article is about 2.0, may the drawbacks are gone in 3.0