如何在Spring MVC 3.2和Spring Security 3.1中使用方法安全性来执行RunAs [英] How to perform RunAs using method security with Spring MVC 3.2 and Spring Security 3.1
问题描述
我有一个带有Spring MVC 3.2和Spring Security 3.1的Web应用程序
I have a web application with Spring MVC 3.2 and Spring Security 3.1
我正在使用基于角色的安全性,并且已经实现了UserDetailsService和UserDetails以提供GrantedAuthority.
I'm using roles base security and have implemented UserDetailsService and UserDetails to provide GrantedAuthority.
我已通过jsr250注释启用了全局方法安全性
I've enabled global method security with jsr250-annotations
到目前为止,一切正常,登录用户方法的访问仅限于声明的角色.
Everything upto here is working as expected with signed in user method access restricted to the declared roles.
我还有一个要求,即在应用程序初始化期间,以具有系统角色"的特殊用户身份运行某些理想的方法,理想情况下应遵循JavaEE RunAs的原则. 我不确定如何在Spring Security中执行此操作.
I have a further requirement to run certain methods called during application initialisation as a special user with a 'system role' ideally along the lines of JavaEE RunAs. I'm not sure how to do this in Spring Security.
我应该尝试创建具有某些组合值和系统角色"权限的PreAuthenticatedAuthenticationToken
.
然后,我可以做类似SecurityContextHolder.getContext().setAuthentication(token);
的操作
初始化应用程序时.
Should I be trying to create a PreAuthenticatedAuthenticationToken
with some made up values and a 'system role' authority.
I could then do something likeSecurityContextHolder.getContext().setAuthentication(token);
when initialising the application.
或者,我应该尝试使用RunAsManager.听起来像我需要的东西,但我还没有找到任何有关如何实际使用它的简单示例.
Alternatively should I be trying to use the RunAsManager. It sounds like what I need but I have not found any simple examples of how I actually could use it.
我对Spring Security还是陌生的,我不确定最好的处理方法.
I'm fairly new to Spring Security and I'm unsure of the best way to proceed.
推荐答案
我的应用程序启动时
- 我在spring bean中运行一个后构造方法,以在具有系统角色的内存中创建一个特殊用户.
- 此用户对象实现
- I run a post construct method in my spring bean to create a special user in memory with a system role.
- This user object implements the
org.springframework.security.core.userdetails.UserDetails
接口.
interface.
org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
然后在安全上下文中设置令牌.
The token is then set in the Security Context.
@Service
@Transactional(readOnly = true)
public class ApplicationConfiguration{
@Inject
MyService myService;
@PostConstruct
@Transactional(readOnly = false)
public void init(){
// ######## Application Starting #######"
// Create a user that meets the contract of the Spring UserDetails interface
UserAccountImpl sysAcc = new UserAccountImpl("system", "system", "system");
UserRole role = new UserRole(Role.SYSTEM_ROLE);
role.addUserPermission(Permission.SYSTEM);
sysAcc.addUserRole(role);
UserDetailsAdapter userDetails = new UserDetailsAdapter(sysAcc);
// Create a token and set the security context
PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken( userDetails, userDetails.getPassword(), userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(token);
// Now call service method with roles allowed
myService.initialiseSystem();
}
}
....
public interface MyService {
@RolesAllowed(SYSTEM)
public void initialiseSystem();
}
这篇关于如何在Spring MVC 3.2和Spring Security 3.1中使用方法安全性来执行RunAs的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!