Spring Security Role Hierarchy 不适用于 Thymeleaf sec:authorize [英] Spring Security Role Hierarchy not working with Thymeleaf sec:authorize

问题描述

我将 Spring Security 3.2.5.RELEASE 与 ThymeLeaf 2.1.4.RELEASE 一起使用.我已经在我的安全上下文中定义了角色层次结构.在我的视图层中，我使用 sec:authorize 属性来定义菜单项.我希望看到顶级角色下的所有菜单项，但我只看到在该角色下定义的菜单.如何解决这个问题，以便我看到顶层下的所有菜单?

I'm using Spring Security 3.2.5.RELEASE with ThymeLeaf 2.1.4.RELEASE. I've defined Role Hierarchy in my security context. In my view layer I'm using sec:authorize attribute to define menu items. I expect to see all menu items under the top level role but I only see the menus defined under that role. How can I fix this problem so that I see all menus under the top level?

任何指针将不胜感激.谢谢.

Any pointers would be really appreciated. Thanks.

<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <beans:constructor-arg ref="roleHierarchy"/>
</beans:bean>

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            ROLE_ADMINISTRATOR > ROLE_MANAGER > ROLE_CONTENT_ADMINISTRATOR
        </beans:value>
    </beans:property>
</beans:bean>

在我的视图页面中，我使用了 sec:authorize 属性，如下所示:

And in my view page I'm using sec:authorize attribute like below:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<body th:fragment="admin-menu" sec:authorize="hasRole('ROLE_ADMINISTRATOR')">
<li>
    <a href="#"><i class="fa fa-users"></i> <span class="nav-label">Users</span> </a>
</li>
</body>
</html>

推荐答案

为了使角色层次结构在 thymeleaf 模板以及通用安全(注释)配置中工作，您只需要两件事:

In order to get the role hierarchy worked in thymeleaf templates as well as in the common security (annotation) config, you need only 2 things:

1. 制作豆子:

1. Make the bean:

@Bean
public RoleHierarchyImpl roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
String hierarchy =
        "ADMIN_GLOBAL_MANAGEMENT > ADMIN_COMMON " +
        "ADMIN_GLOBAL_MANAGEMENT > ADMIN_USER_MANAGEMENT " +
        "ADMIN_GLOBAL_MANAGEMENT > ADMIN_PAYMENT_MANAGEMENT " +
        "ADMIN_GLOBAL_MANAGEMENT > ADMIN_MESSAGE_MANAGEMENT";
 roleHierarchy.setHierarchy(hierarchy);
 return roleHierarchy;
}

扩展 WebSecurityConfigurerAdapter 并覆盖一个方法:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

...

@Override
public void configure(WebSecurity web) throws Exception {
  DefaultWebSecurityExpressionHandler expressionHandler = new 
    DefaultWebSecurityExpressionHandler();
  expressionHandler.setRoleHierarchy(roleHierarchy());
  web.expressionHandler(expressionHandler);
}

这篇关于Spring Security Role Hierarchy 不适用于 Thymeleaf sec:authorize的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！