基于Spring安全组的授权 [英] Spring security group based authorization

问题描述

我打算制作基于群组的权限计划，但我对以下内容感到困惑：

i intend to make group based permission scheme but i am confused about the following:

我有一些问题：

1. 什么是最好的方法用户>组>角色>权限 或
   用户>角色>权限


2. 在这种情况下如何实现安全性（登录/记住我）（需要指向优秀教程的链接）。


3. 方法级安全性将使用注释 @PreAutorize hasPermission（＃，''）或hasRole或什么？


4. 如何我会在UI中隐藏组件（非管理员的管理），具体取决于权限（UI是JSF）吗？


5. 如果我隐藏了视图中的组件，那么方法级别的重要性将是什么安全呢？

1. What is the best approach User > Group > Roles > Permissions or User > Roles > Permissions
2. How to implement the security (login/remember me) in this case (need a link to good tutorial).
3. The method level security will use the annotation @PreAutorize hasPermission(#, '') or hasRole or what ?
4. How will i hide components (administration for non admins) in the UI depending on the permissions (UI is JSF) ?
5. If i hided components in the view what will be the importance of the method level security then ?

推荐答案

设计安全模型本身并不是一项简单的任务，域名的详细知识您正试图确保它几乎不可能。话虽如此，你可以在这里得到的任何建议都是一般的，一般你的问题是。

To design a security model is not a simple task itself, and without detailed knowledge of the domain You're trying to secure it's close to impossible. Having said that any advice You can get here will be as general, as general Your question is.

1）在大多数应用程序中用户 - > ;角色就足够了。在更复杂的那些用户 - >角色 - >可以使用权限，但这完全取决于您如何定义每个权限的范围。通常，精细的角色并将其中的一些分配给用户正是您所需要的。我会说另一个级别是在中间添加 Groups 有点太多了。想象一下它作为一个文件系统 - 平面文件系统存在并且看起来不那么复杂。在决定这一点时花些时间，因为这是最重要的决定之一，并且会产生许多并不总是容易预测的含义。

1) In most applications the User -> Roles is enough. In more complex ones the User -> Roles -> Permissions could be used, but it all depends how You'll define the scope of each. Often fine grained roles and assigning a couple of them to the user is just what You'll need. I'd say putting another level be adding Groups in the middle is a bit too much. Imagine it as a file system - flat file systems exists and are way less complicated as it may seem. Take Your time while deciding this as this is one of the most important decisions and will have many implications that are not always easy to predict.

2）认证并记住 - 我已经在Spring Security中实现了机制 - 您需要做的就是选择最适合您的实现并使用安全命名空间支持对其进行配置。请查看 Petclinic 示例应用程序和此教程，如果你还没有。

2) The authentication and remember-me mechanisms are already implemented in Spring Security - all You need to do is choose the implementation that best suits You and configure it using the security namespace support. Do take a look at Petclinic example app and this tutorial, if You haven't already.

3）如果您决定使用权限，则应始终检查权限。保持您选择的增益级别。始终如一。始终。

3) If You decide on using permissions, You should always check for permissions. Keep the gain level You chose. Be consistent. Always.

4）根据您使用的视图技术， JSP taglib 可能会派上用场（如Ralph所述）。对于JSF来说没有这样的东西 - 但写一些类似的东西相对简单。

4) Depending on the view technology You use, the JSP taglib may come in handy (as mentioned by Ralph). There is non such thing for JSF - but it's relatively simple to write something similar.

5）正如拉尔夫所说，如果你隐藏某些东西，那并不意味着它没有t仍然存在 - 它仍然可以被非特权用户调用。

5) As Ralph said, if You hide something it doesn't mean it doesn't exist any more - it still can be called by unprivileged user.

这篇关于基于Spring安全组的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！