堆栈内存溢出
  简体   繁体   English

您可以通过编程方式配置Spring-Security吗?

[英]Can you configure Spring-Security programmatically?

 原文  2010-06-07 23:59:28       java/ spring-security

问题描述

I am working to configure Spring-Security with an existing application, for just basic security (ie what pages a user can see based on their roles). 我正在为现有的应用程序配置Spring-Security,仅用于基本安全性(即,用户可以根据其角色看到哪些页面)。 The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml. 提出了一个问题,想知道我们是否可以在Java中而不是ApplicationContext.xml中设置每个页面所需的角色。

The idea is to store them in a table in our database, so we can easily change them with out a redeployment. 想法是将它们存储在数据库的表中,因此我们可以轻松进行更改而无需重新部署。 Is this possible? 这可能吗? How? 怎么样?

2 个解决方案

解决方案1
 5 已采纳  2010-06-08 00:29:55

Yes you can configure Spring-Security programmatically. 是的,您可以通过编程方式配置Spring-Security。 But I don't think that is what you want / need to do. 但是我不认为这是您想要/需要做的。

The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml. 提出了一个问题,想知道我们是否可以在Java中而不是ApplicationContext.xml中设置每个页面所需的角色。

You could implement your own AccessDecisionManager class that queries your database to fetch the rules (or whatever) for each resource / page. 您可以实现自己的AccessDecisionManager类,该类查询数据库以获取每个资源/页面的规则(或其他任何规则)。 This is described in Section IV of the SpringSecurity manual. SpringSecurity手册的第IV节对此进行了描述。

Alternatively, you could embed your own custom access control logic inside your MVC controller. 另外,您可以在MVC控制器中嵌入自己的自定义访问控制逻辑。 Use SpringSecurityContext to fetch the request's Authorization object, fish out the identity and/or authorities, and implement the decision making however you want to. 使用SpringSecurityContext来获取请求的Authorization对象,获取身份和/或权限,并根据需要实施决策。

解决方案2
 1  2010-06-08 12:03:02

We did this using Interceptors. 我们使用拦截器做到了这一点。 Basically a MethodInterceptor proxies any call to any method you want (ie getting an object from your database). 基本上,MethodInterceptor可以代理对所需方法的任何调用(即从数据库中获取对象)。 You can then, programmatically intercept the object and check the current user and do pretty much anything you want in terms of access control. 然后,您可以以编程方式拦截该对象并检查当前用户,并根据访问控制执行几乎所有您想做的事情。 If that means querying the database for a list of users who has access (and hence a list you can changes without modifying code) the so be it. 如果这意味着在数据库中查询具有访问权限的用户列表(因此可以更改列表而无需修改代码),就这样。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用批注(无xml)配置spring-security? - How to configure spring-security with annotations (no xml)? 如何配置Spring-Security以访问数据库中的用户详细信息? - How to configure Spring-Security to access user details in database? 如何使用Spring-security以编程方式登录用户? - How to login a user programmatically using Spring-security? BadCredentialsException是spring-security - BadCredentialsException is spring-security 剖析弹簧安全性 - Profile into spring-security 有人可以利用spring-security PreAuthorize注释吗? - Can someone exlpain advantage spring-security PreAuthorize annotations? 在哪里可以找到有关spring-security批注的更多信息 - Where can I find more information on spring-security annotations 我怎样才能从 Spring-Security 校长那里得到数据? - How can I get a data from Spring-Security principal? Spring-Security:Spring-Security 中 /** 和 /* url 模式的区别 - Spring-Security: Difference Between /** and /* url pattern in Spring-Security 春季安全性未按预期工作 - spring-security is not working as expected
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM