为什么 Spring Security 的 RoleVoter 需要前缀?

本文介绍了为什么 Spring Security 的 RoleVoter 需要前缀?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

在我们的应用程序中，我们计划使用 RoleVoter 机制，但我们希望删除 ROLE_ 前缀，因为我们正在实施的安全性更基于任务 而不是 基于角色的.

In our application we planned to use the RoleVoter mechanism but we'd like to remove the ROLE_ prefix as the security we are implementing is more task based than role based.

从技术上讲，实现没有问题，但我在文档中发现不鼓励使用带有空前缀的RoleVoter.

Technically, there is no problem for the implementation but I found in the documentation that using the RoleVoter with an empty prefix should be discouraged.

我想知道为什么?

AFAICS，唯一的问题是，如果没有前缀，RoleVoter 将参与它不应该参与的决策(例如 IS_AUTHENTICATED_FULLY、IS_AUTHENTICATED_REMEMBERED, ...) 并且可能返回访问被拒绝而不是弃权.

AFAICS, the only problem is that, without the prefix, the RoleVoter will participate in decisions that it is not meant to (such as the IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED, ...) and might returns an access denied instead of an abstain.

您能否确认这是唯一带有空前缀的问题?

Could you please confirm that this is the only issue with an empty prefix?

提前致谢米.

推荐答案

是的.如果您使用多个投票者或自定义投票者，那么他们需要某种方式知道他们应该使用哪些属性.例如，如果您有一个 DayOfTheWeekVoter 并且您有一个使用属性 ROLE_USER,DAY_MONDAY 定义的资源，那么 RoleVoter 可能会投票授予访问权限，因为用户具有用户"角色，但 DayOfTheWeekVoter 可能会拒绝访问，因为它不是星期一.

Yes. If you are using multiple voters or a custom voter then they need some way knowing which attributes they should consume. For example, if you have a DayOfTheWeekVoter and you have a resource defined with attributes ROLE_USER,DAY_MONDAY then the RoleVoter might vote to grant access because the user has the role "User", but the DayOfTheWeekVoter might deny access because it is not a Monday.

如果您没有为 RoleVoter 配置前缀，那么它会检查用户是否具有分配给他们的名为DAY_MONDAY"的权限，因此这种情况将不起作用.

If you don't configure RoleVoter with a prefix then it would check if the user has the authority named "DAY_MONDAY" assigned to them, and so this scenario won't work.

如果你只对角色感兴趣，那么你可以不用前缀，或者你可以使用不使用的表达式(例如hasRole('user'))角色投票者.

If you are only interested in roles, then you can do without a prefix, or you can use expressions (such as hasRole('user')) which don't use a RoleVoter.

这篇关于为什么 Spring Security 的 RoleVoter 需要前缀?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！