堆栈内存溢出
  简体   繁体   English

如何在Ldap中集成用户权限

[英]How to integrate User permissions in Ldap

 原文  2013-10-21 06:50:10       java/ spring/ authentication/ spring-security/ authorization

问题描述

My target it so assign to user permissions. 我的目标就是分配给用户权限。 For example: 例如:

User "John" belong to role ROLE_CUSTOMERS and have the permissions of: 'READ_MAILS", 'ADD_MAILS'. 用户“John”属于角色ROLE_CUSTOMERS,拥有以下权限:'READ_MAILS','ADD_MAILS'。

User "David" belong to role ROLE_USERS and have the permissions of: 'DELETE_MAILS' 用户“David”属于角色ROLE_USERS,拥有以下权限:'DELETE_MAILS'

I managed to map users and roles to the ldap directory. 我设法将用户和角色映射到ldap目录。 Users -> John,David Groups -> ROLES_CUSTOMER,ROLE_USERS 用户 - > John,David Groups - > ROLES_CUSTOMER,ROLE_USERS

But I am missing the permissions part. 但我错过了权限部分。

I don't know how to declare the 'READ_MAILS", 'DELETE_MAILS','ADD_MAILS' attributes/permissions/task or however you call it. 我不知道如何声明'READ_MAILS','DELETE_MAILS','ADD_MAILS'属性/权限/任务,或者你可以调用它。

  1. How I assign each permission to a user at the ldap side? 我如何在ldap端为用户分配每个权限?

  2. How ill be able to retrieve those permissions in the spring security side before letting a specific user do some operation. 在让特定用户执行某些操作之前,如何能够在spring安全端检索这些权限。

*I am not sure this requirement I am looking for called 'permission' please correct me if I wrong. *我不确定我要求的这个要求被称为“许可”,如果我错了请纠正我。

thanks, ray. 谢谢,雷。

1 个解决方案

解决方案1
 1 已采纳  2013-10-21 17:20:01

What you are looking for is fine-grained permissions / entitlements. 您正在寻找的是细粒度的权限/权利。 Those are not typically stored in LDAP but rather in another solution eg an authorization service. 这些通常不存储在LDAP中,而是存储在另一个解决方案中,例如授权服务。

With respect to Spring Security, this article may help. 关于Spring Security, 本文可能有所帮助。 Also consider the Spring API documentation on permissions . 还要考虑有关权限的Spring API文档。

I would recommend you consider a standards-based approach using XACML, the eXtensible Access Control Markup Language. 我建议您考虑使用可扩展访问控制标记语言XACML的基于标准的方法。 With XACML you use roles that come from LDAP and then you write rules eg a manager can edit accounts that are in the same region as the user. 使用XACML,您可以使用来自LDAP的角色,然后编写规则,例如a manager can edit accounts that are in the same region as the user. . Check out XACML either at the OASIS website or on Wikipedia for some more information. 有关更多信息,请访问OASIS网站或Wikipedia上查看XACML。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 LDAP:如何使用sAMAccountName对用户进行身份验证? - LDAP: How to authenticate user with sAMAccountName? 如何检查用户是否在LDAP组中 - How to check if a user is in an LDAP group 如何将LDAP系统集成到我现有的基于Java的网站 - How to integrate the LDAP system to my existing java based website 以编程方式查询LDAP权限 - programmatically querying LDAP permissions 如何使用UnboundID LDAP SDK在LDAP中使用用户ID获取DN - how to get DN in LDAP with user ID using UnboundID LDAP SDK 如何在 LDAP 中获取用户的组织和 OU - How to get the Organization and OU of a user in LDAP 如何获取特定用户的所有LDAP组? - How to get all the LDAP groups for a particular user? 如何在LDAP中获取用户的电子邮件ID - How to get email id of user in LDAP LDAP:如何使用连接详细信息验证用户身份 - LDAP: How to authenticate user with connection details LDAP:如何使用Windows ID搜索用户 - LDAP: how to search for user with windows id
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM