组和ACL on Spring Security [英] Group and acl on Spring Security

问题描述

我想使用Spring Security来管理用户，组和权限。

I want to use Spring Security to manage user, group and permissions.

我想使用ACL保护我的域对象，但是我找不到方法

I want to use ACL to secure my domain objects but I can't find a way to assign a group to an acl.

例如：
我有用户和组。每个组可以拥有以下证券：
-管理论坛（可以像 ROLE_FORUM_MANAGER 这样的角色）
-编辑特定的论坛（特定于

For example: I've got users and groups. Each group can have the following securities: - manage forums (can be a role like ROLE_FORUM_MANAGER) - edit a specific forum (acl on the specific forum).

此外，组是由具有角色 ROLE_PERMISSION_MANAGER 的用户定义的。但是该用户定义的所有组只能由该用户编辑和管理。因此，组将附加到用户。确实，假设用户创建了一个Google网上论坛：该用户只能为其创建的网上论坛管理权限组。这样他就可以创建群组来管理自己的Google群组的特定论坛。

Moreover, Groups are defined by users which have role ROLE_PERMISSION_MANAGER. BUT all groups defined by this user can only be edited and managed by this user. So group are attached to a user. Exactly, imagine that user creates a google group: this user can manage right permission groups only for the group he has created. And so he can create group to manage specific forum of its own google group.

我该怎么办？

我阅读了spring安全文档和以下教程（因此，请不要将我发送到这些链接）：
http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html
http://blog.denksoft.com/?page_id=20

I read the spring security docs and the following tutorials (so please don't send me to these links): http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html http://blog.denksoft.com/?page_id=20

推荐答案

检查Spring Security 3.0，通过使用Spring Expression Language，您可能可以完全避免使用ACL。

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

例如，要编辑论坛，您将拥有一种安全的方法，如下所示：

For instance, for editing a forum, you would have a method secured like this:

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
    //some implementation
}

然后在自定义权限评估程序中实现hasPermission方法，例如：

You would then implement the hasPermission method in a custom permission evaluator, like:

public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication,
            Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, 
            Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

最后，将其连接到应用程序配置中：

Finally, wire it up together in the application config:

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator"
    class="x.y.z.ForumPermissionEvaluator" />

这篇关于组和ACL on Spring Security的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！