为什么 Spring Security 的 RoleVoter 需要前缀? [英] Why does Spring Security's RoleVoter need a prefix?
问题描述
在我们的应用程序中,我们计划使用 RoleVoter 机制,但我们希望删除 ROLE_ 前缀,因为我们正在实施的安全性更基于任务 而不是 基于角色的.
In our application we planned to use the RoleVoter mechanism but we'd like to remove the ROLE_ prefix as the security we are implementing is more task based than role based.
从技术上讲,实现没有问题,但我在文档中发现 不鼓励使用带有空前缀的RoleVoter.
Technically, there is no problem for the implementation but I found in the documentation that using the RoleVoter with an empty prefix should be discouraged.
我想知道为什么?
AFAICS,唯一的问题是,如果没有前缀,RoleVoter 将参与它不应该参与的决策(例如 IS_AUTHENTICATED_FULLY、IS_AUTHENTICATED_REMEMBERED, ...) 并且可能返回访问被拒绝而不是弃权.
AFAICS, the only problem is that, without the prefix, the RoleVoter will participate in decisions that it is not meant to (such as the IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED, ...) and might returns an access denied instead of an abstain.
您能否确认这是唯一带有空前缀的问题?
Could you please confirm that this is the only issue with an empty prefix?
提前致谢米.
推荐答案
是的.如果您使用多个投票者或自定义投票者,那么他们需要某种方式知道他们应该使用哪些属性.例如,如果您有一个 DayOfTheWeekVoter 并且您有一个使用属性 ROLE_USER,DAY_MONDAY 定义的资源,那么 RoleVoter 可能会投票授予访问权限,因为用户具有用户"角色,但 DayOfTheWeekVoter 可能会拒绝访问,因为它不是星期一.
Yes. If you are using multiple voters or a custom voter then they need some way knowing which attributes they should consume. For example, if you have a DayOfTheWeekVoter and you have a resource defined with attributes ROLE_USER,DAY_MONDAY then the RoleVoter might vote to grant access because the user has the role "User", but the DayOfTheWeekVoter might deny access because it is not a Monday.
如果您没有为 RoleVoter 配置前缀,那么它会检查用户是否具有分配给他们的名为DAY_MONDAY"的权限,因此这种情况将不起作用.
If you don't configure RoleVoter with a prefix then it would check if the user has the authority named "DAY_MONDAY" assigned to them, and so this scenario won't work.
如果你只对角色感兴趣,那么你可以不用前缀,或者你可以使用不使用的表达式(例如.hasRole('user'))角色投票者
If you are only interested in roles, then you can do without a prefix, or you can use expressions (such as hasRole('user')) which don't use a RoleVoter.
这篇关于为什么 Spring Security 的 RoleVoter 需要前缀?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
