在Spring Security ACL中授予权限 [英] Granting permissions in Spring Security ACL

问题描述

我在grails 1.3.7中使用Spring Security ACL插件，但我的问题可能比这更通用：我想允许具有 BasePermission.READ 访问对象以能够向其他用户授予相同的权限。如果user1具有对文档的读取访问权限，则他应该能够与user2共享该权限，从而为他提供对同一文档的读取访问权限。

I am using the Spring Security ACL plugin in grails 1.3.7, but my question is probably more generic than that: I would like to allow users who have BasePermission.READ access to an object to be able to grant that same permission to other users. If user1 has read access to a document, he should be able to share that with user2, and thereby give him read access to the same document.

首次创建文档时，授予了user1读取权限，因此我在日志中看到了这一点：

When the document is first created, user1 is granted read access, so I see this in the log:

DEBUG   grails.app.service.org.grails.plugins.springsecurity.service.acl.AclUtilService     Added permission BasePermission[...............................R=1] for Sid PrincipalSid[User user1] for com.fxpal.ara.Document with id 1

然后我尝试在认证为user1时向user2授予READ权限，但出现此异常：

Then I try to grant the READ permission to user2 while authenticated as user1, I get this exception:

org.springframework.security.acls.model.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs

所以我的问题是：
1.是否需要 BasePermission.ADMINISTRATION 来允许用户向其他用户授予权限用户？
2.还有其他只授予部分权限的授予权限的方法吗？

So my questions are: 1. Is having BasePermission.ADMINISTRATION required to allow users to grant permissions to other users? 2. Is there some other way to grant permissions while having only partial permissions? Where is this policy implemented, and can it be replaced?

更新：

好吧，我想我可以添加 AclAuthorizationStrategy 的新实现，该实现定义方法 public void securityCheck（Acl acl，int changeType），但是此方法不将请求的权限作为参数，从而挫败了我检查兼容权限的策略。接下来要做的是重新实现AclImpl以使用不同的逻辑。重复大多数相同的代码似乎很可耻...

Well, I thought I could add a new implementation of AclAuthorizationStrategy which defines the method public void securityCheck(Acl acl, int changeType), but this method doesn't take the requested permission as a parameter, foiling my strategy of checking for compatible permissions. The next thing to do would be to re-implement AclImpl to use different logic. Seems like a shame to repeat most of the same code...

推荐答案

您可以通过创建

<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
     <constructor-arg>
         <bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">
              <constructor-arg>
                   <value>ROLE_ADMINISTRATOR</value>
              </constructor-arg>
         </bean>
     </constructor-arg>
</bean>

此处 ROLE_ADMINISTRATOR 应该是哪个角色登录用户对象具有权限。基本上，具有此角色的任何人都可以管理权限。

Here the ROLE_ADMINISTRATOR should be the Role which the Logged in User object has as part of authorities. Basically Anyone with this Role can manage Permissions.

这篇关于在Spring Security ACL中授予权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！