Spring Security ACL管理权限 [英] spring security acl administration permission

问题描述

我尝试使用Spring Security ACL强制执行一个新应用，经过阅读后，我对每个ACE的权限都有疑问.我期望，如果主体对域对象实例具有管理权限(16)，则能够使用以下注释访问方法:

I try to enforce a new app with spring security ACL and after some reading I have a problem with permissions for every ACE. I was expecting that if a principal has the administration permission (16) over an domain object instance to be able to access a method with this annotation:

@Override   
@PostFilter("hasPermission(filterObject, 'READ')")
public List<Project> findAllProjects() {
    TypedQuery<Project> tq = em.createNamedQuery("Project:findAll", Project.class);
    List<Project> projects = tq.getResultList();
    return projects;
}

但是

    @PostFilter("hasPermission(filterObject, 'ADMINISTRATION') OR hasPermissions(filterObject,'READ')")

似乎有效.
所以，我的问题是:这些权限不是分层的吗?
我的意思是，为什么我必须在具有读取权限的方法上显式指定管理员权限?管理员不是比阅读的大"书吗?
我在想，如果我授予用户管理员权限，则该用户将能够访问比管理员"更低"的操作(C，R，U，D)保护的所有方法/对象.

it seems to work.
So, my question is : Aren't these permissions hierarchical?
I mean, why do I have to explicit specify admin permission on a method that has read permission? Isn't admin "bigger" than read ?
I was thinking that if I grant to a user an admin permission that hte user will be able to access all the methods/objects protected with "lower" operations (C,R,U,D) than admin.

推荐答案

简短的回答:不，权限不是现成的分层权限.

Short answer: No, permissions are not hierarchical out-of-the-box.

如果希望它们是分层的，则需要进行PermissionEvaluator或类似的自定义实现.

If you want them to be hierarchical, you need make a custom implementation of PermissionEvaluator or similar.

这篇关于Spring Security ACL管理权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！