每个组织的Spring Security用户角色 [英] Spring Security User Roles Per Organization
问题描述
在我的应用程序中,我有一个称为组织的顶级实体。用户和组织之间的关系是多对多的。
因此,我可以有以下情况:
- UserA具有用于OrganizationA的角色ROLE_ADMIN
- UserA具有用于OrganizationB的角色ROLE_USER
我需要确保当UserA访问OrganizationB的资源时,他不会将其作为ADMIN进行访问。所以我需要额外检查用户在组织级别具有正确的角色。 Spring Security中是否有内置的内容允许这样做?如果没有,有谁知道解决这个问题的最好方法是什么?
更新:更多信息...
用户登录并选择要使用的组织。这存储在会话中。除此之外,URL是通过Secured注释锁定的。这意味着如果用户A登录并选择OrgA,他们应该可以访问/ admin / user / create,但是如果他们登录并选择OrgB,他们就不应该访问该URL。
长远的方法是在每个重要的方法中添加额外的检查。因此,请调用一些服务方法,说:好吧,您是OrgA的管理员,但不是OrgB的管理员,并且您使用OrgB登录,因此拒绝此请求。
我希望能有更多的grails / spring-security方法来处理这个问题。
自定义 AccessDecisionVoter 。 vote 方法将为您提供资源(方法或URL)的配置属性,这通常是必需的角色,您可以获取当前用户的角色/权限直接从 Authentication 对象,或通过阅读当前组织并为用户选择适当的角色。
我假设你有一些区分用户角色的方式,根据他们选择的组织。
基本上,你会写一个扩展版本的标准 RoleVoter ,它将组织考虑在内。
In my application I have a top level entity called Organization. The relationship between User and Organization is many-to-many.
Because of this I could have the following scenario:
- UserA has role ROLE_ADMIN for OrganizationA
- UserA has role ROLE_USER for OrganizationB
I need to ensure that when UserA accesses resources for OrganizationB he is not doing it as an ADMIN. So I need an additional check that the user has the correct roles at the organization level. Is there anything built into Spring Security that allows for this? If not, does anyone know what the best way would be to about solving this?
UPDATE: A bit more information...
A User logs in and chooses which org they want to work with. That is stored in the session. Beyond that, URLs are locked down with the Secured annotation. What that means is that if UserA were to log in and select OrgA, they should be able to access /admin/user/create however, if they log in and choose OrgB they should not have access to that URL.
The long way is to add additional checks in every method where this matters. So call some service method that says "ok, you're an admin for OrgA but not for OrgB and you're logged in using OrgB, so deny this request".
I'm hoping for a more grails / spring-security way of handling this.
You can probably do this by using a custom AccessDecisionVoter. The vote method will supply you with the "configuration attributes" for the resource (method or URL), which will typically be the required roles, and you can obtain the current user's roles/authorities either directly from the Authentication object, or by reading the current org and selecting the appropriate roles for the user.
I'm assuming that you have some way of differentiating the user's roles, based on the org they've selected.
Essentially, you'd be writing an extended version of the standard RoleVoter, which takes the organization into account.
这篇关于每个组织的Spring Security用户角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
