Grails Spring Security插件 - 修改登录用户的权限 [英] Grails Spring Security plugin - modify logged in user's authorities

本文介绍了Grails Spring Security插件 - 修改登录用户的权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


我有一个安装了Spring Security Core插件的简单Grails应用程序,并且工作正常。但是,我还没有找到任何解决方案来更新安全上下文中登录的用户权限。我不是在说更新当前用户的详细信息(即springSecurityService.reauthenticate)。





代码调用 PersonRole.removeAll(personInstanceB)和

  • 同时管理员B在其权限被修改时已经登录。管理员B可以继续在ROLE_ADMIN受限制页面上工作,直到他/她注销并执行新的登录。只有这样当局才会更新,管理员B具有新的角色(ROLE_USER)

  • 我希望管理员B在重定向到ROLE_USER页面时用户使用新角色进行更新,而不仅仅是在注销/登录之后 调用 springSecurityService.reauthenticate personInstanceB.username)导致管理员A以管理员B的身份登录,因此无法使用。

  • 任何想法都会受到欢迎。我可能错过了一些简单的东西,但我不知道解决方案是什么。


    在你的控制器/服务类中,$ / $> $ / $>


    User user = User.get(获取用户
    角色adminRole = //获取或创建管理角色

    角色userRole = //获取或创建用户角色
    UserRole.create user,role //添加用户角色


    if(!user.hasErrors()&&& true)){
    springSecurityService.reauthenticate user.username //刷新用户安全性deatils




    我要做的就是使用开关用户功能。请参阅切换用户 useSwitchUserFilter 属性设置为 true

  • 建议您为此特权创建一个新角色(例如 ROLE_SWITCH_USER )。 li>
  • 在您的管理页面某处,

     < sec:ifAllGranted roles =' ROLE_SWITCH_USER'> 
    < form action ='/ j_spring_security_switch_user'method ='POST'>
    切换到用户:< input type ='text'name ='j_username'/> <峰; br />
    < input type ='submit'value ='Switch'/>
    < / form>
    < / sec:ifAllGranted>

  • 使用用户名登录为您想要编辑的用户

  • 通过调用下面的 adminToUser()方法来更改其角色设置(例如)
  • 切换回原始用户

  • 完成。

  • -

      def adminToUser (user,adminRole,userRole){
    UserRole.remove user,adminRole
    UserRole.create user,userRole
    if(!user.hasErrors()&&& true)){
    springSecurityService.reauthenticate user.username

    I have a simple Grails app with Spring Security Core plugin installed and working fine. However, I haven't found any solution to the problem with updating a logged in user's authorities in the security context. I am not talking about updating the current user's details (i.e. springSecurityService.reauthenticate).

    My problem is: I have a simple user management app with ROLE_ADMIN and ROLE_USER authorities used. Now, I have 2 administrators logged in at the same time (with ROLE_ADMIN authority) from different computers, and one admin decides to change the other admin's authority from ROLE_ADMIN to ROLE_USER.

    How can I update the user and role so that the modified user (with new ROLE_USER role) cannot perform any ROLE_ADMIN level actions and is immediately redirected to ROLE_USER level pages? Is there a way to update the security context so I don't have to do additional checking in all the controller actions whether the logged in user's authorities have been changed? Can I use the cahceUsers property for that somehow? I haven't modified the cacheUsers and in my understanding, it's false by default. Please, correct me if I'm wrong.

    EDIT: The sequence that's causing the problem is

    1. Administrator "A" modifies administrator "B" and sets a new role (ROLE_USER) for administrator "B"

    2. the code calls PersonRole.removeAll(personInstanceB) and PersonRole.create(personInstanceB, roleAdmin) and everything is updated normally

    3. at the same time Administrator "B" is already logged in when their authorities are modified. Administrator "B" can continue working on ROLE_ADMIN restricted pages until he/she logs out and does a new login. Only then the authorities are updated and Administrator "B" has the new role (ROLE_USER)

    4. I want Administrator "B" to be redirected to the ROLE_USER pages when the user is updated with the new role and not only after logout/login

    5. calling springSecurityService.reauthenticate personInstanceB.username) causes Administrator "A" to be "logged in" as Administrator "B" so this does not work.

    Any ideas would be very welcome. I may have missed something simple here but I have no idea what the solution would be.

    Cheers, mizzzto


    This is untested but give it a try

    In your controller/service class,

    User user = User.get( //get the user
    Role adminRole = //get or create the admin Role
    UserRole.remove user, role // remove admin Role
    Role userRole = // get or create the user Role
    UserRole.create user, role //add the user Role
    if (!user.hasErrors() && true)) {
        springSecurityService.reauthenticate user.username // refresh the users security deatils


    That is a lot clearer now.

    What I would do off the top of my head is use the switch user function. see Switch User

    • First you set the useSwitchUserFilter attribute to true
    • It is advised you make a new role(e.g ROLE_SWITCH_USER) for this priviledge.
    • in your admin page somewhere,

      <sec:ifAllGranted roles='ROLE_SWITCH_USER'>
         <form action='/j_spring_security_switch_user' method='POST'>
            Switch to user: <input type='text' name='j_username'/> <br/>
            <input type='submit' value='Switch'/>

    • log in as the user you wish to edit using their username
    • change their role settings by making a call to the adminToUser() method below(for example)
    • switch back to the original user
    • Done.

    -- You can use the code form the first answer to create a method in your controller or service that take a userInstance and changes thier role from admin to user.

    def adminToUser(user, adminRole, userRole){
        UserRole.remove user, adminRole
        UserRole.create user, userRole 
        if (!user.hasErrors() && true)) {
            springSecurityService.reauthenticate user.username 

    这篇关于Grails Spring Security插件 - 修改登录用户的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

    登录 关闭
    发送“验证码”获取 | 15天全站免登陆