如何在Spring MVC 3.2和Spring Security 3.1中使用方法安全性来执行RunAs [英] How to perform RunAs using method security with Spring MVC 3.2 and Spring Security 3.1

问题描述

我有一个带有Spring MVC 3.2和Spring Security 3.1的Web应用程序

I have a web application with Spring MVC 3.2 and Spring Security 3.1

我正在使用基于角色的安全性，并且已经实现了UserDetailsS​​ervice和UserDetails以提供GrantedAuthority.

I'm using roles base security and have implemented UserDetailsService and UserDetails to provide GrantedAuthority.

我已通过jsr250注释启用了全局方法安全性

I've enabled global method security with jsr250-annotations

到目前为止，一切正常，登录用户方法的访问仅限于声明的角色.

Everything upto here is working as expected with signed in user method access restricted to the declared roles.

我还有一个要求，即在应用程序初始化期间，以具有系统角色"的特殊用户身份运行某些理想的方法，理想情况下应遵循JavaEE RunAs的原则. 我不确定如何在Spring Security中执行此操作.

I have a further requirement to run certain methods called during application initialisation as a special user with a 'system role' ideally along the lines of JavaEE RunAs. I'm not sure how to do this in Spring Security.

我应该尝试创建具有某些组合值和系统角色"权限的PreAuthenticatedAuthenticationToken.
然后，我可以做类似SecurityContextHolder.getContext().setAuthentication(token);的操作 初始化应用程序时.

Should I be trying to create a PreAuthenticatedAuthenticationToken with some made up values and a 'system role' authority.
I could then do something likeSecurityContextHolder.getContext().setAuthentication(token); when initialising the application.

或者，我应该尝试使用RunAsManager.听起来像我需要的东西，但我还没有找到任何有关如何实际使用它的简单示例.

Alternatively should I be trying to use the RunAsManager. It sounds like what I need but I have not found any simple examples of how I actually could use it.

我对Spring Security还是陌生的，我不确定最好的处理方法.

I'm fairly new to Spring Security and I'm unsure of the best way to proceed.

推荐答案

我的应用程序启动时

• 我在spring bean中运行一个后构造方法，以在具有系统角色的内存中创建一个特殊用户.
• 此用户对象实现

• I run a post construct method in my spring bean to create a special user in memory with a system role.
• This user object implements the

org.springframework.security.core.userdetails.UserDetails

接口.

然后我使用用户创建安全令牌

interface.

I then use the user to create a security token

org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken

然后在安全上下文中设置令牌.

The token is then set in the Security Context.

@Service
@Transactional(readOnly = true)
public class ApplicationConfiguration{
    @Inject
    MyService myService;
    @PostConstruct
    @Transactional(readOnly = false)
    public void init(){

        // ######## Application Starting #######"

        // Create a user that meets the contract of the Spring UserDetails interface

        UserAccountImpl sysAcc = new UserAccountImpl("system", "system", "system");
        UserRole role = new UserRole(Role.SYSTEM_ROLE);
        role.addUserPermission(Permission.SYSTEM);
        sysAcc.addUserRole(role);
        UserDetailsAdapter userDetails = new UserDetailsAdapter(sysAcc);

        // Create a token and set the security context

        PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken( userDetails, userDetails.getPassword(), userDetails.getAuthorities());
        SecurityContextHolder.getContext().setAuthentication(token);

        // Now call service method with roles allowed  

        myService.initialiseSystem();
    }
}

....

public interface MyService {
    @RolesAllowed(SYSTEM)
    public void initialiseSystem();
}

这篇关于如何在Spring MVC 3.2和Spring Security 3.1中使用方法安全性来执行RunAs的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！