Spring Security:如何在不登录和注销的情况下更改用户角色 [英] Spring Security: how to change user roles without login and logout
问题描述
Spring Security 4.2.4.Java 8
Spring Security 4.2.4. Java 8
我需要更改用户的权限而不重新登录.这是我的服务:
I need to change the permissions of users without re-logging them. It's my service:
@Component
public class AuthoritiesUpdater {
private final UserRoleService userRoleService;
@Autowired
public AuthoritiesUpdater(UserRoleService userRoleService) {
this.userRoleService = userRoleService;
}
public void update(User user) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
List<UserRole> userRoles = userRoleService.findByUser(user);
List<GrantedAuthority> actualAuthorities = userRoles.stream().map(userRole -> new
SimpleGrantedAuthority(userRole.getRole())).collect(Collectors.toList());
Authentication newAuth = new
UsernamePasswordAuthenticationToken(auth.getPrincipal(), auth.getCredentials(), actualAuthorities);
SecurityContextHolder.getContext().setAuthentication(newAuth);
}
}
但是有麻烦.我需要为任何用户更改角色.假设我是经理,并且想更改测试用户的角色.保存配置后,我需要重新加载权限,并且当用户按F5按钮并重新加载页面而无需重新登录时,测试用户将具有新角色.但是 SecurityContextHolder.getContext().getAuthentication(); 仅返回当前用户(管理员)的身份验证对象.我需要获取身份验证对象以供更改后的用户调用 newUsernamePasswordAuthenticationToken(auth.getPrincipal(),auth.getCredentials(),actualAuthorities); .我可以为任何用户获取身份验证对象,还是可以其他方式解决此问题?也许我可以使用会话注册表获取身份验证对象?
But there is a trouble. I need to change roles for any user. Let's say I'm manager and I want to change roles for test user. I need to reload the permissions after saving configuration and test user will have new roles when he press F5 button and reload the page without re-login.
But SecurityContextHolder.getContext().getAuthentication(); returns authentication object only for current user (manager). I need to get authentication object for changed user to call new
UsernamePasswordAuthenticationToken(auth.getPrincipal(), auth.getCredentials(), actualAuthorities);.
Can I get authentication object for any user or can I solve this problem in another way? Maybe I can get authentication object uses session registry?
P.S .:为用户执行过期的会话不是一个好选择.
P.S.: Doing an expired session for user isn't a good option.
推荐答案
很好的回答,谢谢@virkom!
Excellent answer, thanks @virkom!
对于新用户,步骤如下:
For newer users, the steps are as follow:
-
创建您希望用户拥有的权限列表(包括他们以前拥有的权限).在这种情况下(以下),我创建了一个集合,因此它们将是唯一的.
Create a list of authorities you want the user to have (including the previous one(s) they had). In this case (below) I created a set so they would be unique.
创建一个身份验证对象,该对象与您要通过其新权限进行身份验证的用户相匹配.在这种情况下,我使用了一个内存中的用户来简化示例,但是首选数据库身份验证!
Create an authentication object which matches the user you want to authenticate with their new authorities. In this case, I used a user who was in memory to simplify the example, but database authentication is preferred!
使用新的身份验证信息更新安全上下文.这将具有刷新用户凭据的效果.
Update the security context with the new authentication information. This will have the effect of a refresh of the user's credentials.
代码段如下所示:
Set<GrantedAuthority> authorities = new HashSet<>();
authorities.add(new SimpleGrantedAuthority("USER"));
authorities.add(new SimpleGrantedAuthority("ADMIN"));
Authentication reAuth = new UsernamePasswordAuthenticationToken("user",new
BCryptPasswordEncoder().encode("password"),authorities);
SecurityContextHolder.getContext().setAuthentication(reAuth);
示例代码可在github上找到: https://github.com/aoa4eva/ContextDemo
Sample code is available on github: https://github.com/aoa4eva/ContextDemo
这篇关于Spring Security:如何在不登录和注销的情况下更改用户角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
