1. 首頁
  2. 問答
  3. 如何在Spring Security中使用自定義角色/權限?

如何在Spring Security中使用自定義角色/權限?

2009-06-12 269 views
28

在遷移遺留應用程序的Spring Security我有以下異常:如何在Spring Security中使用自定義角色/權限?

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin] 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) 
at java.security.AccessController.doPrivileged(Native Method) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) 
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)

在舊的應用程序有像「超級管理員」,「編輯」,「服務支持」等,但在所有的Spring Security例子角色我只看到像「ROLE_」(「ROLE_ADMIN」等)的角色。當我將「superadmin」重命名爲「ROLE_ADMIN」並僅在配置中使用此角色時,一切正常。

不起作用:

<http auto-config="true">          
    <intercept-url pattern="/restricted/**" access="superadmin"/> 
    <form-login 
     authentication-failure-url="/secure/loginAdmin.do?error=true" 
     login-page="/secure/loginAdmin.do" />   
</http>

作品:

<http auto-config="true">          
    <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/> 
    <form-login 
     authentication-failure-url="/secure/loginAdmin.do?error=true" 
     login-page="/secure/loginAdmin.do" />   
</http>

可以使用自定義角色的名字呢?

來源

2009-06-12 D. Wroblewski

+0

這個[問題](http://stackoverflow.com/questions/283870/acegi-security-how-do-i-add - 另一個授權 - 認證 - 匿名)可能會有所幫助。 – kgiannakakis 2009-06-12 14:29:31

回答

39

您正在使用預期角色以"ROLE_"前綴開頭的默認配置。您將不得不添加自定義安全配置並將rolePrefix設置爲「」;

http://forum.springsource.org/archive/index.php/t-53485.html

來源

2009-06-12 15:41:19 rodrigoap

+0

我可以有ROLE_FOO或ROLE_BAR或ROLE_ANYTHING_I_WANT嗎?你提供的鏈接並沒有解決問題,它只是一些人說「無法爲RoleVoter設置RolePrefix」 – 2009-11-05 13:28:45

11

下面是使用訪問表達式完整的配置(由@rodrigoap提供的鏈接似乎有點有點過時):

<http 
     access-decision-manager-ref="accessDecisionManager" 
     use-expressions="true"> 

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> 
    <beans:property name="decisionVoters"> 
     <beans:list> 
      <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/> 
      <beans:bean class="org.springframework.security.access.vote.RoleVoter"> 
       <beans:property name="rolePrefix" value=""/> 
      </beans:bean> 
      <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> 
     </beans:list> 
    </beans:property> 
</beans:bean>

來源

2011-12-01 14:30:46

7

您也可以始終使用表達式(通過config use-expressions="true")忽略ROLE_前綴。

閱讀的Spring Security 3.1的源代碼後,我發現當use-expressions="true"

對於<security:http >
HttpConfigurationBuilder#createFilterSecurityInterceptor()將REGIST WebExpressionVoter但不RoleVoterAuthenticatedVoter;

<security:global-method-security >對於:GlobalMethodSecurityBeanDefinitionParser#registerAccessManager()將REGIST PreInvocationAuthorizationAdviceVoter(有條件地),則總是記數RoleVoterAuthenticatedVoter,記數Jsr250Voter有條件;

PreInvocationAuthorizationAdviceVoter將處理PreInvocationAttribute(PreInvocationExpressionAttribute將用作執行),它是根據@PreAuthorize生成的。 PreInvocationExpressionAttribute#getAttribute()總是返回null,所以RoleVoter,AuthenticatedVoter不投票。

來源

2013-03-12 07:10:16 btpka3

2

使用 Spring Security 3.2,這爲我工作。

更改角色前綴:

<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"> 
    <beans:property name="rolePrefix" value="NEW_PREFIX_"/> 
</beans:bean> 

<beans:bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/> 

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> 
    <beans:constructor-arg > 
     <beans:list> 
      <beans:ref bean="roleVoter"/> 
      <beans:ref bean="authenticatedVoter"/> 
     </beans:list> 
    </beans:constructor-arg> 
</beans:bean>

根據要應用它可以在安全模式級或豆級應用中的作用前綴。

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">

在服務級別應用的角色前綴:

<beans:bean id="myService" class="com.security.test"> 
    <security:intercept-methods access-decision-manager-ref="accessDecisionManager"> 
     <security:protect access="NEW_PREFIX_ADMIN"/> 
    </security:intercept-methods> 
</beans:bean>

來源

2014-04-24 05:56:32 user2601995

相關問題

 相關問題