在Spring Security中实现分层角色 [英] Implementing Hierarchical Roles in Spring Security

问题描述

我正在尝试在Spring安全性中实现分层角色，并根据spring源文档在我的xml文件中添加以下配置。

I am trying to implement Hierarchical roles in Spring security and added the following configuration in my xml files as per spring source documentation.

<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_ADMIN > ROLE_PRO
            ROLE_PRO > ROLE_PREMIUM
            ROLE_PREMIUM > ROLE_BASIC
            ROLE_BASIC > ROLE_ANONYMOUS
        </value>
    </property>
</bean>

 <bean id="roleVoter"
        class="org.springframework.security.access.vote.RoleHierarchyVoter">
         <constructor-arg ref="roleHierarchy"/>
</bean>

我已经尝试过上述行，但是在ROLE_ADMIN尝试访问分配给该URL的同时，我遇到了访问拒绝ROLE_BASIC。我是否还需要添加更多内容？除了Spring网站中的这些行，我什么都没找到。另外，如果您知道分层角色的任何良好实现，请务必提及它们。

I have tried with above lines but I am getting Access Denial while ROLE_ADMIN trying to access the url assigned to ROLE_BASIC. Do I need to add anything more than this. I found nothing other than those lines in Spring site. Also, If you know of any good implementation of Hierarchical roles, please do mention them.

推荐答案

我认为您需要注册在 accessDecisionManager 中的 roleVoter 。
@See 此答案作为示例。

I think you need to register the roleVoter at the accessDecisionManager. @See this answer for an example.

但是，说实话，我怀疑春季分层投票者概念，因为您需要在各处添加一个特殊的分层投票器。我个人更喜欢另一种方式：我实现了自定义 JdbcDaoImpl ，该自定义 addCustomAuthorities 并向其中添加了正常角色

But to be honest, I doubt the Spring Hierarchical Voter concept, because you need to add a special hierarchical voter everywhere. I personally prefer an other way: I have implemented an custom JdbcDaoImpl that overrides the addCustomAuthorities and add "normal" Roles to the "existing" once.

/**
 * Extension of {@link JdbcDaoImpl} User Detail Provider, so that is uses the
 * {@link PrivilegesService} to extend the provided Authorities.
 *
 */
public class JdbcDaoPrivilegesImpl extends JdbcDaoImpl {

    private PrivilegesService privilegesService;

    public JdbcDaoPrivilegesImpl(final PrivilegesService privilegesService) {        
        this.privilegesService = privilegesService;
    }

    @Override
    protected void addCustomAuthorities(String username, List<GrantedAuthority> authorities) {
        super.addCustomAuthorities(username, authorities);         

        List<GrantedAuthority> privileges = new ArrayList<GrantedAuthority>();
        for (GrantedAuthority role : authorities) {
            privileges.addAll(privilegesService.getPrivilegesForRole(role));
        }
        authorities.addAll(privileges);    
    }
}


public interface PrivilegesService {

     Collection<? extends GrantedAuthority> getPrivilegesForRole(GrantedAuthority role);
}


public class PropertyPrivilegesServiceImpl implements PrivilegesService {

    /**
     * Property bases mapping of roles to privileges.
     * Every role is one line, the privileges are comma separated.
     */
    private Properties roleToPrivileges;

    public PropertyPrivilegesServiceImpl(Properties roleToPrivileges) {
        if (roleToPrivileges == null) {
            throw new IllegalArgumentException("roleToPrivileges must not be null");
        }
        this.roleToPrivileges = roleToPrivileges;
    }

    @Override
    public Collection<? extends GrantedAuthority> getPrivilegesForRole(GrantedAuthority role) {
        if (roleToPrivileges == null) {
            throw new IllegalArgumentException("role must not be null");
        }

        String authority = role.getAuthority();
        if(authority != null) {
            String commaSeparatedPrivileges = roleToPrivileges.getProperty(role.getAuthority());
            if (commaSeparatedPrivileges != null) {
                List<GrantedAuthority> privileges = new ArrayList<GrantedAuthority>();
                for(String privilegeName : StringUtils.commaDelimitedListToSet(commaSeparatedPrivileges)) {
                    privileges.add(new GrantedAuthorityImpl(privilegeName.trim()));
                }                
                return privileges;
            } else {
                return Collections.emptyList();
            }
        } else {
            return Collections.emptyList();
        }
    }
}

示例配置

  <bean id="myUserDetailsService" class="JdbcDaoForUpdatableUsernames">
    <constructor-arg ref="propertyPrivilegesService"/>
    <property name="dataSource" ref="dataSource"/>
    <property name="usersByUsernameQuery" value="SELECT login,encryptedPassword,loginEnabled FROM user WHERE login = ?"/>
    <property name="enableAuthorities" value="true"/>
    <property name="authoritiesByUsernameQuery" value="SELECT u.login, r.securityRoles FROM user u, user2security_roles r WHERE u.login= ? AND u.id = r. User_fk;"/>
</bean>

 <bean id="propertyPrivilegesService" class="PropertyPrivilegesServiceImpl">
    <constructor-arg>
        <props>
            <prop key="ROLE_ADMIN">
                ROLE_PREMIUM,
                ROLE_BASIC
            </prop>
            <prop key="ROLE_PREMIUM">
                RROLE_BASIC
            </prop>
        </props>
    </constructor-arg>
</bean>

这篇关于在Spring Security中实现分层角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！