如何使jsp中的Spring安全角色层次结构正常工作? [英] How to get spring security role hierarchy in jsp to work?

问题描述

我尝试使角色层次结构在我的应用程序中工作.我唯一需要的是在所有级别上定义的层次结构:在url级别，现在也是在视图级别(在我的jsp文件中).

I try to get role hierarchies to work in my application. The only thing I want is the defined hierarchy at all levels: At the url-level and for now also at the view level (in my jsp files).

我使用以下设置:

     <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:property name="decisionVoters">
            <beans:list>
                <beans:ref bean="roleHierarchyVoter"/>
                <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                    <beans:property name="expressionHandler">
                        <beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
                            <beans:property name="roleHierarchy" ref="roleHierarchy"/>
                        </beans:bean>
                    </beans:property>
                </beans:bean>
                <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            </beans:list>
        </beans:property>
    </beans:bean>

    <beans:bean id="roleHierarchyVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
        <beans:constructor-arg ref="roleHierarchy"/>
    </beans:bean>

    <beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
        <beans:property name="hierarchy">
            <beans:value>
                ROLE_ADMIN > ROLE_OWNER
                ROLE_OWNER > ROLE_DISTRIBUTOR
                ROLE_DISTRIBUTOR > ROLE_RESELLER
                ROLE_RESELLER > ROLE_USER
            </beans:value>
        </beans:property>
    </beans:bean>

<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
    ...
</http>

对于URL级别(拦截URL)，它工作得很好，但是在我的jsp文件中却不起作用.问题是我没有正确理解配置以使角色层次结构正常工作.

For the URL Level (intercept URLs) it works very good, but in my jsp files that did not work. The problem is I did not properly understood the config to get the role hierarchy to work.

<security:authorize access="hasRole('ROLE_ADMIN')">
    <div class="span4">
        <h2>Admin</h2>
    </div><!--/span-->
</security:authorize>
<security:authorize access="hasRole('ROLE_OWNER')">
    <div class="span4">
        <h2>Owner</h2>
    </div><!--/span-->
</security:authorize>
<security:authorize access="hasRole('ROLE_DISTRIBUTOR')">
    <div class="span4">
        <h2>Distributor</h2>
    </div><!--/span-->
</security:authorize>

我使用这个简单的示例在视图级别测试角色层次结构，但是它不起作用.只有具有管理员角色的用户才能看到他的阻止，而其他用户则看不到.

I use this simple example to test the role hierarchy at the view level, but it does not work. Only the user with the admin role can see his block but not the others.

让一些人知道我的配置有什么问题.

Had some one an idea what I'm doing wrong with my config.

推荐答案

我遇到了同样的问题(Spring Security 3.2.5).

I had the same issue (Spring Security 3.2.5).

通过在<http>部分之前声明我的DefaultWebSecurityExpressionHandler来解决

Resolved by declaring my DefaultWebSecurityExpressionHandler before the <http> section

<!-- This must go before the http element in order to be used by security:authorize tags using the access attribute -->
<!-- https://jira.spring.io/browse/SEC-1452 -->
<beans:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <beans:property name="roleHierarchy" ref="roleHierarchy" />
</beans:bean>

请参阅 https://jira.spring.io/browse/SEC-1452 和 http://forum.spring.io/forum/spring-projects/security/67494-configuration-of-spring-security-3-0m1-expression-handler-bug/page3

这篇关于如何使jsp中的Spring安全角色层次结构正常工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！