具有角色和权限的 Spring Security [英] Spring Security with roles and permissions
问题描述
我正在尝试使用权限设置基于角色的安全性.我正在尝试与 Spring-Security 一起执行此操作.
I'm trying to set up role-based Security with permissions. I'm trying to do this together with Spring-Security.
我不想设置 ACL,因为它似乎对我的要求来说太过分了.
I don't want to set up ACL as it seems it's an overkill for my requirements.
我只想拥有此 文章.不幸的是,这篇文章没有描述如何实现给定的解决方案.
I just want to have simple permissions and roles as described in this article. Unfortunately the article does not describe how to implement the given solution.
有人已经尝试过这个并且可以为我指出正确的方向吗?也许还有另一个博客条目描述了实现?
Has someone already tried this and can point me in the right direction? Maybe there is another blog entry that describes the implementation?
非常感谢.
推荐答案
要实现这一点,您似乎必须:
To implement that, it seems that you have to:
- 创建您的模型(用户、角色、权限)以及检索给定用户权限的方法;
- 定义您自己的
org.springframework.security.authentication.ProviderManager
并将其配置(设置其提供者)为自定义org.springframework.security.authentication.AuthenticationProvider
.最后一个应该在其身份验证方法上返回一个身份验证,该身份验证应该使用org.springframework.security.core.GrantedAuthority
设置,在您的情况下,是给定用户的所有权限.
- Create your model (user, role, permissions) and a way to retrieve permissions for a given user;
- Define your own
org.springframework.security.authentication.ProviderManager
and configure it (set its providers) to a customorg.springframework.security.authentication.AuthenticationProvider
. This last one should return on its authenticate method a Authentication, which should be setted with theorg.springframework.security.core.GrantedAuthority
, in your case, all the permissions for the given user.
那篇文章中的技巧是将角色分配给用户,但是,在 Authentication.authorities
对象中设置这些角色的权限.
The trick in that article is to have roles assigned to users, but, to set the permissions for those roles in the Authentication.authorities
object.
为此,我建议您阅读 API,看看您是否可以扩展一些基本的 ProviderManager 和 AuthenticationProvider 而不是实现所有内容.我已经通过 org.springframework.security.ldap.authentication.LdapAuthenticationProvider
设置自定义 LdapAuthoritiesPopulator 来完成此操作,这将为用户检索正确的角色.
For that I advise you to read the API, and see if you can extend some basic ProviderManager and AuthenticationProvider instead of implementing everything. I've done that with org.springframework.security.ldap.authentication.LdapAuthenticationProvider
setting a custom LdapAuthoritiesPopulator, that would retrieve the correct roles for the user.
希望这次我得到了你要找的东西.祝你好运.
Hope this time I got what you are looking for. Good luck.
这篇关于具有角色和权限的 Spring Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!