Grails Spring Security插件 - 修改登录用户的权限 [英] Grails Spring Security plugin - modify logged in user's authorities

问题描述

我有一个安装了Spring Security Core插件的简单Grails应用程序，并且工作正常。但是，我还没有找到任何解决方案来更新安全上下文中登录的用户权限。我不是在说更新当前用户的详细信息（即springSecurityService.reauthenticate）。

我的问题是：我有一个简单的用户管理应用程序，使用了ROLE_ADMIN和ROLE_USER权限。现在，我有两个管理员从不同的计算机同时登录（使用ROLE_ADMIN权限），一个管理员决定将其他管理员的权限从ROLE_ADMIN更改为ROLE_USER。

如何更新用户和角色，以便修改的用户（具有新的ROLE_USER角色）不能执行任何ROLE_ADMIN级别的操作，并立即重定向到ROLE_USER级别的页面？有没有办法更新安全上下文，所以我不必在所有控制器操作中进行额外检查，无论登录用户的权限是否已更改？我能以某种方式使用cahceUsers属性吗？我没有修改cacheUser，并且我的理解是默认为false。如果我错了，请纠正我。

编辑：
导致问题的顺序是

管理员A修改管理员B并为管理员B设置新角色（ROLE_USER）。

代码调用 PersonRole.removeAll（personInstanceB）和
PersonRole.create（personInstanceB，roleAdmin）并且一切正常更新

同时管理员B在其权限被修改时已经登录。管理员B可以继续在ROLE_ADMIN受限制页面上工作，直到他/她注销并执行新的登录。只有这样当局才会更新，管理员B具有新的角色（ROLE_USER）

我希望管理员B在重定向到ROLE_USER页面时用户使用新角色进行更新，而不仅仅是在注销/登录之后 调用 springSecurityService.reauthenticate personInstanceB.username）导致管理员A以管理员B的身份登录，因此无法使用。

任何想法都会受到欢迎。我可能错过了一些简单的东西，但我不知道解决方案是什么。

干杯，
mizzzto

在你的控制器/服务类中，$ / $> $ / $>

  ... 
 
 User user = User.get（springSecurityService.principal.id）//获取用户
角色adminRole = //获取或创建管理角色
 UserRole.remove用户，角色//删除管理员角色
 
角色userRole = //获取或创建用户角色
 UserRole.create user，role //添加用户角色
 
 ... 
 
 if（！user.hasErrors（）&&& user.save（flush： true））{
 springSecurityService.reauthenticate user.username //刷新用户安全性deatils 
} 
 
 .... 
  

编辑

现在更清晰了。

我要做的就是使用开关用户功能。请参阅切换用户 useSwitchUserFilter 属性设置为 true

建议您为此特权创建一个新角色（例如 ROLE_SWITCH_USER ）。 li>

在您的管理页面某处，

 < sec：ifAllGranted roles =' ROLE_SWITCH_USER'> 
< form action ='/ j_spring_security_switch_user'method ='POST'> 
切换到用户：< input type ='text'name ='j_username'/> <峰; br /> 
< input type ='submit'value ='Switch'/> 
< / form> 
< / sec：ifAllGranted> 
  

使用用户名登录为您想要编辑的用户

通过调用下面的 adminToUser（）方法来更改其角色设置（例如）

切换回原始用户

完成。

-
您可以使用代码形式首先回答在您的控制器或服务中创建一个方法，该方法需要一个userInstance并将其角色从admin更改为user。

  def adminToUser （user，adminRole，userRole）{
 UserRole.remove user，adminRole 
 UserRole.create user，userRole 
 if（！user.hasErrors（）&&& user.save（flush： true））{
 springSecurityService.reauthenticate user.username 
} 
} 
  

I have a simple Grails app with Spring Security Core plugin installed and working fine. However, I haven't found any solution to the problem with updating a logged in user's authorities in the security context. I am not talking about updating the current user's details (i.e. springSecurityService.reauthenticate).

My problem is: I have a simple user management app with ROLE_ADMIN and ROLE_USER authorities used. Now, I have 2 administrators logged in at the same time (with ROLE_ADMIN authority) from different computers, and one admin decides to change the other admin's authority from ROLE_ADMIN to ROLE_USER.

How can I update the user and role so that the modified user (with new ROLE_USER role) cannot perform any ROLE_ADMIN level actions and is immediately redirected to ROLE_USER level pages? Is there a way to update the security context so I don't have to do additional checking in all the controller actions whether the logged in user's authorities have been changed? Can I use the cahceUsers property for that somehow? I haven't modified the cacheUsers and in my understanding, it's false by default. Please, correct me if I'm wrong.

EDIT: The sequence that's causing the problem is

1. Administrator "A" modifies administrator "B" and sets a new role (ROLE_USER) for administrator "B"

2. the code calls PersonRole.removeAll(personInstanceB) and PersonRole.create(personInstanceB, roleAdmin) and everything is updated normally

3. at the same time Administrator "B" is already logged in when their authorities are modified. Administrator "B" can continue working on ROLE_ADMIN restricted pages until he/she logs out and does a new login. Only then the authorities are updated and Administrator "B" has the new role (ROLE_USER)

4. I want Administrator "B" to be redirected to the ROLE_USER pages when the user is updated with the new role and not only after logout/login

5. calling springSecurityService.reauthenticate personInstanceB.username) causes Administrator "A" to be "logged in" as Administrator "B" so this does not work.

Any ideas would be very welcome. I may have missed something simple here but I have no idea what the solution would be.

Cheers, mizzzto

解决方案

This is untested but give it a try

In your controller/service class,

...

User user = User.get(springSecurityService.principal.id) //get the user
Role adminRole = //get or create the admin Role
UserRole.remove user, role // remove admin Role

Role userRole = // get or create the user Role
UserRole.create user, role //add the user Role

... 

if (!user.hasErrors() && user.save(flush: true)) {
    springSecurityService.reauthenticate user.username // refresh the users security deatils
}

....

EDIT

That is a lot clearer now.

What I would do off the top of my head is use the switch user function. see Switch User

• First you set the useSwitchUserFilter attribute to true
• It is advised you make a new role(e.g ROLE_SWITCH_USER) for this priviledge.

• in your admin page somewhere,

  <sec:ifAllGranted roles='ROLE_SWITCH_USER'>
     <form action='/j_spring_security_switch_user' method='POST'>
        Switch to user: <input type='text' name='j_username'/> <br/>
        <input type='submit' value='Switch'/>
     </form>
  </sec:ifAllGranted>
  

• log in as the user you wish to edit using their username
• change their role settings by making a call to the adminToUser() method below(for example)
• switch back to the original user
• Done.

-- You can use the code form the first answer to create a method in your controller or service that take a userInstance and changes thier role from admin to user.

def adminToUser(user, adminRole, userRole){
    UserRole.remove user, adminRole
    UserRole.create user, userRole 
    if (!user.hasErrors() && user.save(flush: true)) {
        springSecurityService.reauthenticate user.username 
    }
}

这篇关于Grails Spring Security插件 - 修改登录用户的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！