在Spring Security中基于某种所有权设置用户角色 [英] Setting user roles based on some kind of ownership in Spring Security
问题描述
在基于Spring的应用程序中,我目前具有基本角色,例如ADMIN和USER.
In my Spring-based application, I currently have basic roles such as ADMIN, and USER.
是否可以定义用户角色(例如PHOTO_UPLOADER),该角色继承自USER,还可以添加检查用户是否实际上是照片的所有者?
Is it possible to define a user role such as PHOTO_UPLOADER, which inherits from USER, but also adds a check whether the user making the call is actually the owner of the photo?
我厌倦了在控制器动作中一遍又一遍地写相同的if (currentUser.id == photo.uploader.id)
.它也适用于其他实体.
I am tired of writing the same if (currentUser.id == photo.uploader.id)
in my controller actions over and over again. It applies to other entities as well.
推荐答案
您可以使用Tomasz Nurkiewicz建议的ACL来处理它.但是Spring Securitz ACL很复杂,而且文档记录很差. (我所知道的最好的资源是这本书: Spring Security 3-由Spring Security的作者编写)
You can handle it with ACLs like Tomasz Nurkiewicz suggested. But Spring Securitz ACLs are complex and poor documented. (The best resource I know for it is this Book: Spring Security 3 - by the authors of Spring Security)
但是,如果您真的只需要这个简单的if (currentUser.id == photo.uploader.id)
测试,那么我建议您使用另一种技术.
But If you really need only this simple if (currentUser.id == photo.uploader.id)
test, then I would recommend an other technique.
可以增强方法安全性表达式,您可以在@PreAuthorize批注中使用它们.喜欢:
It is possible to enhance the method security expressions you can use them in @PreAuthorize annotations. Like:
@PreAuthorize("isPhotoOwner(#photo)")
public void doSomething(final Photo photo) {
要实现这样的表达式isPhotoOwner
,核心真的很简单:
To implement such an expression isPhotoOwner
the core is really simple:
public class ExtendedMethodSecurityExpressionRoot extends MethodSecurityExpressionRoot {
public ExtendedMethodSecurityExpressionRoot(final Authentication a) {
super(a);
}
/**
*
*/
public boolean isPhotoOwner(final Photo photoObject) {
if (photoObject == null) {
return false;
}
Photo photo = (photo) photoObject;
return photo.getCreator().getLogin().equals(authentication.getName());
}
}
不幸的是,还有一些其他工作来注册ExtendedMethodSecurityExpressionRoot. --- 我现在没有时间,如果您愿意尝试这种方法,请留下评论,剩下的我将予以介绍
Unfortunaly there is some addtional work to to register the ExtendedMethodSecurityExpressionRoot. --- I have no time at the moment, if you are willing to try this approach, then leave a commment, and I will descripe the rest
这篇关于在Spring Security中基于某种所有权设置用户角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!