具有角色和权限的Spring Security [英] Spring Security with roles and permissions
问题描述
我正在尝试使用权限设置基于角色的安全性。我正在尝试与Spring-Security一起这样做。
I'm trying to set up role-based Security with permissions. I'm trying to do this together with Spring-Security.
我不想设置ACL,因为它似乎对我的要求有点过分。
I don't want to set up ACL as it seems it's an overkill for my requirements.
我只想拥有简单的权限和角色,如文章。
遗憾的是,该文章没有描述如何实现给定的解决方案。
I just want to have simple permissions and roles as described in this article. Unfortunately the article does not describe how to implement the given solution.
有人已经尝试过这个并且可以指出我正确的方向吗?也许还有另一篇描述实施的博客文章?
Has someone already tried this and can point me in the right direction? Maybe there is another blog entry that describes the implementation?
非常感谢。
推荐答案
为了实现这一点,它似乎你必须:
To implement that, it seems that you have to:
- 创建模型(用户,角色,权限)以及检索给定用户权限的方法;
- 定义您自己的
org.springframework.security.authentication.ProviderManager并将其配置(设置其提供者)为自定义org.springframework.security.authentication.AuthenticationProvider。
最后一个应该在其身份验证方法上返回一个身份验证,在你的情况下应该使用org.springframework.security.core.GrantedAuthority设置,所有给定用户的权限。
- Create your model (user, role, permissions) and a way to retrieve permissions for a given user;
- Define your own
org.springframework.security.authentication.ProviderManagerand configure it (set its providers) to a customorg.springframework.security.authentication.AuthenticationProvider. This last one should return on its authenticate method a Authentication, which should be setted with theorg.springframework.security.core.GrantedAuthority, in your case, all the permissions for the given user.
该文章中的技巧是将角色分配给用户,但是,设置权限为那些角色在 Authentication.authorities 对象中。
The trick in that article is to have roles assigned to users, but, to set the permissions for those roles in the Authentication.authorities object.
为此我建议你阅读API,看看是否您可以扩展一些基本的ProviderManager和AuthenticationProvider,而不是实现所有内容。我已经用 org.springframework.security.ldap.authentication.LdapAuthenticationProvider 设置了一个自定义LdapAuthoritiesPopulator,它将为用户检索正确的角色。
For that I advise you to read the API, and see if you can extend some basic ProviderManager and AuthenticationProvider instead of implementing everything. I've done that with org.springframework.security.ldap.authentication.LdapAuthenticationProvider setting a custom LdapAuthoritiesPopulator, that would retrieve the correct roles for the user.
希望这次我得到了你想要的东西。
祝你好运。
Hope this time I got what you are looking for. Good luck.
这篇关于具有角色和权限的Spring Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
