如何使用Spring MVC的控制用户认证 [英] how to control the user authentication using spring mvc
问题描述
我使用的春天MVC3构建一个用户管理系统。
I am using spring mvc3 to build a user-manager system.
本系统conain以下型号:
This system conain the following models:
Department
User
和相关部门已在层次结构,例如:
And the Departments have the hierarchic structure,for example:
Dep1
SubDep1
SubDep2
Sub_sub_dep1
xxxx
一个可以添加/更新/删除部门/用户,如果他是authenciationed,但他只能自己部门和子所在部门内完成这些操作。
One can add/update/delete departments/users if he is authenciationed,but he can only do these operation within his department and the sub-departmens.
例如,有三个部门(与有用户):
For example,there are three departments(with there users):
Dep01(user1:{id:1}}
Dep0101(user2:{id:2}
Dep0102(user3:{id:3}
Dep010201(user4:{id:4}
所以USER1可以做/添加/ upate /删除所有的用户(用户1,用户2,用户3,USER4)
So user1 can do the /add/upate/delete all the users(user1,user2,user3,user4)
虽然用户3只能为用户做了手术(用户3,USER4)。
While user3 can only do the operation for user(user3,user4).
我可以控制该用户3不能看到部门/列表页的user1和user2。
I can control that the user3 can not see the user1 and user2 in the department/list page.
但是,怎么样,如果他进入网址如下:
But how about if he enter the url like this:
department/update/1
因为USER1(ID为1)也不属于Dep0102或Dep010201
这已被避免。
This has to be avoided since the user1(whose id is 1) does not belong to Dep0102 or Dep010201.
如何控制好这个?
推荐答案
一个选项是在<$ C创建一个自定义的Spring Security PermissionEvaluator 并实现自定义的检查$ C> hasPermission(鉴权认证,对象targetDomainObject,对象权限)方法。
One option is to create a custom Spring Security PermissionEvaluator and implement your custom checks in the hasPermission(Authentication authentication, Object targetDomainObject, Object permission) method.
方法来保护的签名最终看起来是这样的:
The signature of the method to protect ends up looking like this:
@PreAuthorize("hasRole('ROLE_USER') and hasPermission(#_dept, 'deptAndSubs')")
public String methodToProtect(String _dept)throws Exception {
<custom code>;
}
的第一个参数 hasPermission 前pression是用户想要修改,二是许可的部门。对我们来说,deptAndSubs权限表示用户只能执行,如果被修改的部门等于分配的部门或该部门的子部门(其他权限是deptOnly'和'subsOnly')用户的方法。
The first argument to the hasPermission expression is the department that the user wants to modify and the second is the permission. For us the deptAndSubs permission indicates that the user can execute the method only if the department being modified is equal to the users assigned department or any of the sub departments of that department (other permissions are 'deptOnly' and 'subsOnly').
在我们的应用中有一个自定义的Spring Security 的UserDetails 对象包括用户部门code,所以我们可以从认证对象用户的部门记录的直接Spring框架传递到方法。下面是自定义的评估终于结束了看起来像:
In our application we have a custom Spring Security UserDetails object that includes the user department code so we can get the logged in user's department directly from the Authentication object that Spring passes into the method. Here's what the custom evaluator finally ends up looking like:
public class CustomPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
AppUser appUser = (AppUser)authentication.getPrincipal();
if(permission instanceof String){
if("deptAndSubs".equals(permission)){
return isTargetDeptInUserDeptTree((String)targetDomainObject, appUser.getDeptCode());
}else if(.... other permission checks){}
}
return false;
}
该方法isTargetDeptInUserDeptTree是自定义的code提取用户的部门树,并确认目标部门在里面。
The method isTargetDeptInUserDeptTree is custom code to extract the user's department tree and verify that the target department is in it.
最后,你必须设置你的XML配置:
Finally you have to set up your xml configuration:
<global-method-security pre-post-annotations="enabled" >
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="customPermissionEvaluator"/>
</beans:bean>
<beans:bean id="customPermissionEvaluator" class="....CustomPermissionEvaluator"/>
祝你好运!
这篇关于如何使用Spring MVC的控制用户认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
