问题描述
我正在使用Spring Security ACL。当我保存对象时,我还创建了一个新的ACE(访问控制条目)。我正在使用这种方法:
I am using Spring Security ACL. When I save an object I also create a new ACE (Access Control Entry). I am using this method:
acl.insertAce(acl.getEntries().size(), BasePermission.CREATE, recipient, true);
我想知道我是否正确使用此方法一次获得所有者的所有许可(添加它的经过身份验证的用户)对于权限应该具有相同的权限吗?
I am wondering if I got it right when I invoke this method one time for all the permission the owner (the authenticated user that added it) should have and the same for authorities?
示例:
如果添加条目的用户也应具有READ访问权限我再调用一次:
If the user who adds the entry also should have READ access I invoke this one more time:
acl.insertAce(acl.getEntries().size(), BasePermission.READ, recipient, true);
等等?这是应该正确使用的方式吗?
And so on? This is the way it is supposed to be used right?
在ACL中只有主管部门和主体,或者只是主体是正常的。我的意思是,你在<$ c中混合 hasRole('ROLE_ADMIN')和 hasPermission(...) $ c> @PreAuthorize 或者您是否在ACL中都有主体和权限,因此您只能使用 hasPermission(...)
And is it normal to have both the authorities and the principals in ACL or just the principals. I mean, do you mix hasRole('ROLE_ADMIN') and hasPermission(...) in the @PreAuthorize or do you have both principals and authorities in ACL so you only use hasPermission(...)
推荐答案
默认情况下,当Spring Security ACL评估权限时,它会考虑更高的权限。例如,如果您具有CREATE(2)权限,则自动表示您具有READ(1)权限。出于某种原因,我很难找到特定的查询,这是他们的默认策略之一。因此,在给出CREATE权限后,您不必授予READ权限。
By default, when Spring Security ACL evaluates permissions it will take into account higher permissions. For example, if you have CREATE (2) permission, that automatically means you have READ (1) permission. For some reason I am having a hard time locating that particular query, it's in one of their default strategy impls. So, you shouldn't have to grant READ rights after CREATE rights have been given.
就组合角色和权限检查而言,完全正常。例如,在我的应用程序系统中,管理员(ROLE_ADMIN)是可以执行任何操作的超级用户,例如更新其他用户的数据,以下是我如何检查当前用户是否可以更新实体,其中#entity是您要更新的实际对象:
As far as combining role and permission checking, perfectly normal to do. For example, in my application system admins (ROLE_ADMIN) are super users who can do anything, e.g. update other user's data, so here is how I check if the current user can update an entity, where #entity is the actual object you are updating:
@PreAuthorize("hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMIN')")
如果您想要更精细的权限,可以使用安全组。例如,在我的应用程序中,用户可以宣传他们教授的不同课程,可以在全球范围内教授课程([email protected]可以在任何地方教授此课程),在健身房层面(任何健身房ID 123的教练可以教授此课程)或者健身教练水平([email protected]可以在健身房ID 123教授这门课程)。为了支持这样的事情,你需要有3个级别的权限:
If you want finer grained permissions, you can use security groups. For example, in my application users advertise different classes they teach, classes can be taught at global level ([email protected] can teach this class anywhere), at gym level (any trainer at gym ID 123 can teach this class) or at gym-trainer level ([email protected] can teach this class at gym ID 123). In order to support something like that, you'd need to have 3 levels of permissions:
Global:[email protected] - >这是一个SidPrincipal
Global: [email protected] -> this is a SidPrincipal
健身房:GYM_123_TRAINERS - >这是一个GrantedAuthoritySid
Gym: GYM_123_TRAINERS -> this is a GrantedAuthoritySid
健身教练:[email protected] - >这个是一个GrantedAuthoritySid
Gym-trainer: [email protected] -> this is a GrantedAuthoritySid
当用户登录时,我遍历他所教的所有健身房并添加GYM_ID_TRAINERS角色以确定他是健身教练组的一部分,以及GYM_ID_TRAINERS - 用户名角色,在健身房识别他为他。
When user logs in, I loop over all the gyms he teaches at and add GYM_ID_TRAINERS role to identify him as being part of the gym trainer group, and GYM_ID_TRAINERS-username role to identify him as him at that gym.
这篇关于授予Spring Security Acl权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!