spring-security ACL如何授予权限 [英] spring-security how ACL grants permissions
问题描述
我目前正在将springs-security集成到我们的新Web应用程序堆栈中.我们将需要能够为用户或角色授予访问特定对象或特定类型的所有对象的权限.但这是我在阅读文档和示例时并没有真正了解的一件事:
I'm currently integrating springs-security into our new web application stack. We will need to be able to grant permissions for a user or role to access a specific object or all objects of a certain type. However that's one thing I didn't really get when working through documentations and examples:
ACL是仅向单个对象的用户/角色授予权限还是对整个类型进行授权?据我了解,domain object表示类型,但是示例和教程似乎将它们分配给特定对象权限.我只是感到困惑还是可以两者都做?如果没有,我该怎么办?
Does an ACL only grant permissions to a user/role for a single object or does it do that for the entire type? As I understand it, domain object means the type but the examples and tutorials seem like they assign permissions to specific objects. Am I just confused or can I do both? If not, how do I do the other?
谢谢!
推荐答案
借助spring-security,您可以同时执行这两项操作.可能是因为spring-security支持所谓的权限规则-在spring-security术语中,他们称其为权限评估者.权限规则包含ACL,但是当对象处于某种状态时,您也可以保护它们的实例...等等.
With spring-security you can do both. It's possible because spring-security supports the so called permission rules - within the spring-security terminology they call it permission evaluators. Permission rules encompass ACL, but also you can secure instances of objects when they're in a certain state...etc.
这是它的工作方式:
-
您需要扩展PermissionEvaluator-这允许您具有用于确定访问权限的超级自定义逻辑-您可以检查对象的类型或检查特定的ID,或者检查调用该方法的用户是否为创建对象的用户,等等:
You need to extend the PermissionEvaluator - this allows you to have super custom logic for determining access rights - you can check the type of the object or check for a particular id, or check if the user invoking the method is the user that created the object, etc.:
public class SomePermissionsEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
if (permission.equals("do_something") &&
/*authentication authorities has the role A*/) {
return true
} else if (permission.equals("do_something_else") &&
/*authentication authorities has the role B*/) {
return /*true if targetDomainObject satisfies certain condition*/;
}
return false;
}
@Override
public boolean hasPermission(Authentication authentication,
Serializable targetId, String targetType, Object permission) {
throw new UnsupportedOperationException();
}
}
现在有了安全规则,您需要通过注释应用它:
Now that you have a security rule, you need to apply it through annotations:
@PreAuthorize("hasRole('SOME_ROLE_OR_RIGHT') and" +
" hasPermission(#someDomainObject, 'do_something')")
public void updateSomeDomainObject(SomeDomainObject someDomainObject) {
// before updating the object spring-security will check the security rules
}
为此,应在 applicationContext.xml 中启用安全注释:
In order for this to work the security annotations should be enabled in the applicationContext.xml:
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator">
<beans:bean id="permissionEvaluator" class="com.npacemo.permissions.SomePermissionsEvaluator"/>
</beans:property>
</beans:bean>
这篇关于spring-security ACL如何授予权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
