当前位置: 文江博客话题详情

Spring Security 使用通配符授权访问角色

发布于 2024-12-03 19:25:42 字数 335 浏览 0 评论 0原文

我是否可以在 标记的访问属性中使用通配符。

目前我有

但我希望能够使用

这可能吗?或者有人知道可以完成相同任务的解决方法吗?

谢谢

原文

Is it possible at all for me to use a wildcard in the access property of the <sec:authorize /> tag.

Currently I have
<sec:authorize access="hasRole('TICKET_VIEW') or hasRole('TICKET_EDIT')">

but I would like to be able to use
<sec:authorize access="hasRole('TICKET_*')">

Is this possible or does anyone know a work-around that would accomplish the same thing?

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

倦话 2024-12-10 19:25:42

从 Spring 3.x 开始,Spring EL 中可以实现这一点。您要查找的表达式是 hasAnyRole(..)

所以它应该看起来像这样:

<sec:authorize access="hasAnyRole('TICKET_VIEW', 'TICKET_EDIT')">
    ...
</sec:authorize>

这是更多 Spring EL 表达式的链接:
http://static.springsource.org /spring-security/site/docs/3.0.x/reference/el-access.html

It's possible in Spring EL starting from Spring 3.x. The expression you're looking for is hasAnyRole(..).

So it should look like this:

<sec:authorize access="hasAnyRole('TICKET_VIEW', 'TICKET_EDIT')">
    ...
</sec:authorize>

Here's a link for some more Spring EL expressions:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html

回复 原文
淡淡绿茶香 2024-12-10 19:25:42

我意识到这是一个老问题,但这个答案可能会对未来的搜索者有所帮助。

1) 允许固定集中的单个角色:这是简单的基本情况。

<security:authorize access="hasRole('ROLE_ADMIN_ABC')">
    You are allowed to see these admin links.
</security:authorize>

2) 允许固定集中的任何角色:对于您想要允许“以 ADMIN 开头的任何角色”的情况,您事先知道所有角色名称,并且您只有几个角色,jzelenkov的回答是完全正确的。但是,如果您有太多角色需要处理,您可能需要创建一个可以做出访问决策的自定义方法调用,并使用 SpEL 将其插入到访问属性中。该解决方案更接近最初提出的通配符问题。

<bean id="mySecurityBean" class="com.sample.MySecurityBean" />

<security:authorize access="@mySecurityBean.roleStartsWith(principal, 'ROLE_ADMIN_')">
    You are allowed to see these admin links.
</security:authorize>

public class MySecurityBean {
    /**
     * Returns true if any role starts with some prefix.
     */
    public boolean roleStartsWith(UserDetails user, String rolePrefix) {
        for (GrantedAuthority auth : user.getAuthorities()) {
            if (auth.getAuthority().startsWith(rolePrefix)
                return (true);
        }
        return (false);
    }
}

3) 允许动态集中的单个角色:如果您想要允许“以 ADMIN 开头的特定角色”,但您不一定知道所有允许的角色后缀,您可以使用 JSTL 在渲染时插入角色名称。例如,考虑一个具有许多工作区的应用程序,每个工作区都有一个唯一的代码。您想要为每个工作区创建一个 ROLE_ADMIN_workspaceName 角色。当某人访问 ABC 工作区页面时,您只希望在用户具有 ROLE_ADMIN_ABC 角色时显示管理链接。我们假设每个工作区都使用相同的 JSP 视图,并且名称作为 ${workspaceName} 传递到模型中。

<sec:authorize access="hasRole('ROLE_ADMIN_${workspaceName}')">
    You are allowed to see these admin links.
</sec:authorize>

4) 允许动态集中的任何角色:这与#2 的解决方案相同。

I realize that this is an old question, but this answer might help future searchers.

1) Allow Single Role from a Fixed Set: This is the simple base case.

<security:authorize access="hasRole('ROLE_ADMIN_ABC')">
    You are allowed to see these admin links.
</security:authorize>

2) Allow Any Role from a Fixed Set: For cases where you want to allow "any role that starts with ADMIN", you know all of the role names in advance, and you just have a few roles, jzelenkov's answer is perfectly correct. However, if you have too many roles to deal with, you will probably want to create a custom method call that can make the access decision, and insert it into the access attribute with SpEL. This solution is closer to the wildcard question that was originally asked.

<bean id="mySecurityBean" class="com.sample.MySecurityBean" />

<security:authorize access="@mySecurityBean.roleStartsWith(principal, 'ROLE_ADMIN_')">
    You are allowed to see these admin links.
</security:authorize>

public class MySecurityBean {
    /**
     * Returns true if any role starts with some prefix.
     */
    public boolean roleStartsWith(UserDetails user, String rolePrefix) {
        for (GrantedAuthority auth : user.getAuthorities()) {
            if (auth.getAuthority().startsWith(rolePrefix)
                return (true);
        }
        return (false);
    }
}

3) Allow Single Role from a Dynamic Set: For cases where you want to allow "a specific role that starts with ADMIN", but you don't necessarily know all of the allowed role suffixes, you can insert the role name at render time with JSTL. As an example, consider an app with many workspaces, each with a unique code. You want to create a ROLE_ADMIN_workspaceName role for each workspace. When someone is visiting the ABC workspace page, you only want the admin links to appear if the user has the ROLE_ADMIN_ABC role. Let us assume that every workspace uses the same JSP view, and the name is passed into the model as ${workspaceName}.

<sec:authorize access="hasRole('ROLE_ADMIN_${workspaceName}')">
    You are allowed to see these admin links.
</sec:authorize>

4) Allow Any Role from a Dynamic Set: This is identical to the solution for #2.

回复 原文
~没有更多了~

关于作者

演多会厌

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文