春季安全授权自定义用户组 [英] Spring Security authorization for custom usergroups
问题描述
我想实现使用Spring Security的Web应用程序。我理解的Spring Security的基于角色的机制,并能得到它的工作。我的问题是,在我的web应用程序的用户可以创建自己有团体和添加好友(该应用程序的其他用户)它。到用户的一些页面的访问是基于这个朋友的基团。它应该类似于Facebook的用户和组。
我怎样才能实现这些自定义用户组和获得用户的网页带弹簧的安全?是否有这个用例默认机制?或者我应该实现自己的数据库表?
I am trying to implement a web application with spring security. I understand the role based mechanism of spring security and can get it to work. My problem is, in my web app users can create there own groups and add friends (other users of the app) to it. The access to some pages of the user is based on this friends-group. It should work similar to facebook user and groups. How can I implement these custom user groups and the access to users pages with spring security? Is there a default mechanism for this use case? Or should I implement my own DB tables?
推荐答案
我使用的用户组,ACL机制。基本上我要确保为业主设置一个对象被创建的ACL时。然后,当另一个用户试图访问该对象的所有者的组进行检查以查看是否存在匹配
I am using user groups with ACL mechanism. Basically I make sure that when ACL is created for an object the owner is set. Then when another user tries to access this object the owner's groups are checked to see if there is a match.
这当然意味着,当用户改变他的组,则对象去与他。
This of course means that when user changes his groups then the object 'goes with him'.
如果您不希望这种行为你可以组对象的ACL作为一个安全对象的父ACL。然后,当用户更改组,你应该为组对象ACL正确的条目。通过这种方式,安全的对象是联系在一起的用户组而不是用户自己
If you don't want this behavior you can have group object's ACL as a parent acl for a secure object. Then when a user changes groups you should set the correct entries for group object ACL. This way the secure object is tied to the user group not the user himself.
这篇关于春季安全授权自定义用户组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
