基于用户属性保护URL模式Spring Security
[英]Securing url pattern based on user properties Spring security
问题描述
I have secured certain url patterns for my project based on the users role as seen in my spring_security xml below. 
我已经根据用户角色保护了我的项目的某些url模式,如下面spring_security xml中所示。
<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied.do" >
<security:intercept-url pattern="/auth/login" access="permitAll"/>
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/security/**" access="hasRole('ROLE_SECURITY')"/>
<security:intercept-url pattern="/common/**" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/notsecure/**" access="permitAll"/>
<security:form-login
login-page="/auth/login.do"
authentication-failure-url="/auth/login.do?error=true"
default-target-url="/common/tasks/tasks.do"
authentication-success-handler-ref="mySuccessHandler"/>
<security:logout
invalidate-session="true"
logout-success-url="/auth/login.do"
logout-url="/auth/logout.do"/>
</security:http>
<sec:global-method-security pre-post-annotations="enabled" />
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="authenticationService">
<!-- <security:password-encoder ref="passwordEncoder"/> -->
</security:authentication-provider>
</security:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<!--
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
-->
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<bean id="authenticationService" class="ie.premiumpower.services.AuthenticationService"/>
<bean id="mySuccessHandler" class="ie.premiumpower.services.MySuccessHandler">
</bean>
So only admin users can access /admin/** etc. 因此,只有管理员用户才能访问/ admin / **等。
Now I want to limit users to their own url pattern based on a different attribute (their site_id which is just an int). 现在,我想基于不同的属性(他们的site_id只是一个int)将用户限制为他们自己的url模式。 So only users with a site_id of 1 can go to the url "/1/**" and so on. 因此,只有site_id为1的用户才能访问网址“ / 1 / **”,依此类推。
How can I go about doing this? 我该怎么做呢? Just looking for a point in the right direction. 只是寻找正确方向的一点。 Everything I've seen so far doesn't allow me to have a variable url-pattern. 到目前为止,我所看到的所有内容都不允许我使用可变的url模式。 As in "/{variable}/". 与“ / {变量} /”中的一样。
1 个解决方案
解决方案1
1 已采纳 2015-11-26 11:13:28
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
See "15.3 Method Security Expressions" 请参见“ 15.3方法安全性表达式”
You can use something like 您可以使用类似
@PreAuthorize("#value == '123'")
@RequestMapping(value="/secure")
@ResponseBody
public String aloa(@RequestParam("value") String value, Principal principal) {
return "Hello " + principal.getName();
}
This will only let you in if you provide "value=123" as a request Parameter. 仅当您提供“ value = 123”作为请求参数时,您才能进入。
You may also use @PathVariable here: 您也可以在此处使用@PathVariable:
@PreAuthorize("#value == '123'")
@RequestMapping(value="/secure/{value}/data")
@ResponseBody
public String aloa(@PathVariable("value") String value, Principal principal)
If you want fine-grain access control to your domain objects, you may want to use spring-acl for such purpose. 如果要对域对象进行细粒度的访问控制,则可能需要使用spring-acl来实现此目的。 There you can define fine grained access control for any object base on user permissions. 在那里,您可以根据用户权限为任何对象定义细粒度的访问控制。 Heres the simple base on which acl is base uppon, too. 这也是acl的基础。 you can throw in your own implementation of PermissionEvaluator and then make use of "hasPermission" inside the @PreAuthorize: 您可以抛出自己的PermissionEvaluator实现,然后在@PreAuthorize中使用“ hasPermission”:
Link it in in your security config: 将其链接到您的安全配置中:
<global-method-security secured-annotations="disabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="myPermissionEvaluator"/>
</beans:bean>
create a "hasPermission" PreAuthorize constraint: 创建一个“ hasPermission” PreAuthorize约束:
@PreAuthorize("hasPermission(#value, 'admin')")
@RequestMapping(value="/secure/{value}/data")
@ResponseBody
public String aloa(@PathVariable("value") String value, Principal principal)
Fill a PermissionEvaluator with life. 让PermissionEvaluator充满生命。 Here you can bridge your domain-permission over to spring-security: The referenced value from your @RequestMapping will come in through the "targetDomainObject" in "permission" you'll find the required permission as defined in your "hasPermission" definition above. 在这里,您可以将域权限桥接到spring-security:@RequestMapping中的引用值将通过“权限”中的“ targetDomainObject”输入,您将在上面的“ hasPermission”定义中找到所需的权限。
@Component("myPermissionEvaluator")
public class MyPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
return ...;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
return ...;
}
}
you may even directly access the Principal object from within the annotations, too: 您甚至还可以直接从批注中访问Principal对象:
@PreAuthorize("#value == authentication.principal.title") //my pricipal is from ldap source and title is mapped in from there. @PreAuthorize(“#value == authentication.principal.title”)//我的主要字母来自ldap源,标题从那里映射。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.