在Spring安全性中拒绝具有相同角色的多个用户的访问权限 [英] denying access for multiple users of same role in spring security

问题描述

我遇到过这种情况：我的应用程序有多个角色（管理员，主持人，用户）。主持人和用户可以编辑一些表格。所有的权利都可以。但是当我作为用户（角色用户）登录并更改网址中的ID时，我可以简单地获取并编辑另一个用户（角色用户）的表单。

I've run into a such situation: my application has several roles(administrator, moderator, user). Moderator and User can edit some forms. All permisions are ok. But when I'm loggen in as a user(role User) and change an id in the url, I can simply get and edit form of another user(role User).

如何拒绝访问并阻止此类操作？

How to deny access and prevent such actions?

ps。春季和春季安全版本为3.1.2

ps. version of spring and spring security is 3.1.2

更新 - 添加春季安全背景

update - added spring security context

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http use-expressions="true" auto-config="false"
        entry-point-ref="authenticationEntryPoint" access-denied-page="/403.jsp">
        <form-login login-page="/login.html"
            authentication-failure-url="/login.html?error=true"
            login-processing-url="/j_spring_security_check"
            authentication-success-handler-ref="successHandler" />
        <logout logout-url="/logout" logout-success-url="/login.html" />
        <intercept-url pattern="/admin/**" access="hasRole('adminViewPermission')" />
        <intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission')" />

        <intercept-url pattern="**/form-management"
            access="hasRole('formManagementPermission')" />

    </http>


    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetailsService" />
    </authentication-manager>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.html" />
        <beans:property name="forceHttps" value="false" />
    </beans:bean>

    <beans:bean id="successHandler"
        class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/authenticate" />
        <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
    </beans:bean>

    <beans:bean id="userDetailsService"
        class="com.jack.MyYserDetailsService">
    </beans:bean>
</beans:beans>

推荐答案

看起来你想要考虑实际的域对象为您的安全规则。具有用户和角色的正常SpringSecurity设置可以添加如下安全规则：who（具有某个角色的athenticated用户）可以访问某些URL /方法调用。如果您希望能够使用这样的增强规则：who（具有某个角色的athenticated用户）可以访问某些URL /方法调用以及他可以使用的域对象那么您需要使用 ACL功能。

It looks like you want take into account actual domain object for your security rule. Normal SpringSecurity setup with users and roles can add security rules like this: who (athenticated user with some role) may access to some URL / method invocation. If you want to be able use enhanced rules like this: who (athenticated user with some role) may access to some URL / method invocation and what domain objects he can use then you need to use ACL feature.

编辑。但是如果你需要像这样的一个安全规则那么设置ACL可能是一种过度杀伤力。您可以尝试通过自定义Web安全表达式增强实际的SpringSecurity设置：

EDIT. But if you need just one security rule like this then set up ACL may be an overkill. You can try enhance your actual SpringSecurity setup by custom web security expression:

<intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission') and userIsAuthor()" />

userIsAuthor（）方法的位置：

• 从URL中提取对象的ID（我想类似 / moderator / item / 56 ）


• 检查当前用户是否是项目id = 56的作者。

这篇关于在Spring安全性中拒绝具有相同角色的多个用户的访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！