定义具有继承权限的用户角色 [英] defining userroles with inheriting rights
问题描述
我目前正在研究spring-security框架-到目前为止,很棒的东西,给人留下了深刻的印象. 但是,我还没有找到定义权限继承的位置或方式.
I'm currently looking into the spring-security framework - great stuff so far, pretty impressed. However, I haven't found out where or how to define a inheritance of permissions.
例如我希望ROLE_ADMIN至少具有与ROLE_USER相同的权限.我为spring定义了三个intercep-url:
e.g. I want the ROLE_ADMIN to have at least the same rights as the ROLE_USER. I defined three intercep-urls for spring:
<intercept-url pattern="/auth/login.do" access="permitAll"/>
<intercept-url pattern="/voting/*" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
以ROLE_ADMIN用户身份登录时,尝试访问从/voting/嵌套的任何网站时,被拒绝.我在这里想念什么吗?我知道,我可以为/voting/*分支定义几个角色,但是如果我想象在我的现实用例之一中可能有10个不同的用户角色,那么我可以想象.xml文件变得非常混乱,快.
When trying to access any site nesting from /voting/, while being logged in as a ROLE_ADMIN user, I am being denied. Am I missing something here? I know, I could define several roles for the /voting/* branch, but if I imagine that I might have 10 different user roles in one of my real-life usecases, I can imagine the .xml file to get really messy, really fast.
我可以在某个地方配置角色的继承吗?
Can I configure the inheritance of roles somewhere?
欢呼
多亏了伟大的社区和他们的投入,我想出了一个可行的解决方案-可能是好的样式,还是不好的样式-D:p
Thanks to the great community and their input, I came up with a working solution - it may be good style or not - it works :D
我定义了一个枚举,该枚举反映了继承的spring-sec角色:
I defined an enum which reflects the inheriting spring-sec roles:
public enum UserRoles {
ROLE_USER(new String[]{"ROLE_USER"}),
ROLE_ADMIN(new String[]{"ROLE_USER", "ROLE_ADMIN"});
private final String[] roles;
private UserRoles(String[] roles) {
this.roles = roles;
}
public String[] getRoles() {
return roles;
}
}
然后我实现了自己的UserDetailsService:
I then implemented my own UserDetailsService:
在方法之内
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { ... }
在将授予的权限添加到UserDetail方面,我获得了相应的枚举值,并附加了该枚举值定义的所有角色:
where it comes to adding granted authorities to a UserDetail, I get the corresponding enum value and append all the roles defined by this enum value:
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
for (String role : UserRoles.ROLE_ADMIN.getRoles()) {
authList.add(new GrantedAuthorityImpl(role));
}
UserDetails user = null;
try {
//user = new User(username, md5.hashPassword(username), true, true, true, true, authList);
} catch (NoSuchAlgorithmException ex) {
logger.error(ex.getMessage(), ex);
}
我保留的域对象包含一个带有UserRole的@Enumerated字段-在实际环境中,该字段是从数据库加载的,并且从该枚举中选取了相应的角色.
My domain object which is persisted, contains a @Enumerated field with a UserRole - in a real environment, this field is loaded from the DB and the corresponding Roles are picked from that enum.
再次感谢您的投入-喜欢这个社区^^
thanks again for the input - love this community ^^
推荐答案
据我所知,Spring Security不支持角色和特权"的概念.在Spring安全性中,只有角色有时称为权限"-而且:在Spring Security中,是在Roles and Privileges系统中称为特权"的Role/Authorities.
As far as I know, Spring Security does not support the concept of Roles and Privileges. In Spring security are only Roles sometimes called Authority -- Moreover: In Spring Security are Roles/Authorities that what in a Roles and Privileges System is called Privileges.
因此,如果要构建角色和特权系统,则需要通过构建自己的Spring Security AuthenticationManager来做到这一点,并像特权一样使用Spring Security角色/权力.
So if you want to build a System of Roles and Privileges, then you need to do it by your one by building your own Spring Security AuthenticationManager, and tread the Spring Security Roles/Authorities like Privileges.
@请参阅此博客: Spring Security定制(第1部分-定制UserDetails或扩展GrantedAuthority) -它是为Spring Security 2.0编写的,展示了如何实现我在说的内容. RoleHierarchy也有一些缺点,但是本文大约是2.0,可能缺点在3.0中消失了.
@See This Blog: Spring Security customization (Part 1 – Customizing UserDetails or extending GrantedAuthority) -- It is written for Spring Security 2.0 and shows how to implement what I am talking about. It also stayes that RoleHierarchy has some drawbacks, but this article is about 2.0, may the drawbacks are gone in 3.0
这篇关于定义具有继承权限的用户角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!