在Spring安全性中拒绝具有相同角色的多个用户的访问权限
[英]denying access for multiple users of same role in spring security
问题描述
I've run into a such situation: my application has several roles(administrator, moderator, user). 
我遇到过这样的情况:我的应用程序有几个角色(管理员,主持人,用户)。 Moderator and User can edit some forms. 主持人和用户可以编辑一些表格。 All permisions are ok. 所有的权利都可以。 But when I'm loggen in as a user(role User) and change an id in the url, I can simply get and edit form of another user(role User). 但是当我以用户身份登录(角色用户)并更改网址中的ID时,我可以简单地获取并编辑另一个用户(角色用户)的表单。
How to deny access and prevent such actions? 如何拒绝访问并阻止此类操作?
ps. PS。 version of spring and spring security is 3.1.2 弹簧和弹簧的安全版本是3.1.2
update - added spring security context 更新 - 添加了弹簧安全上下文
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true" auto-config="false"
entry-point-ref="authenticationEntryPoint" access-denied-page="/403.jsp">
<form-login login-page="/login.html"
authentication-failure-url="/login.html?error=true"
login-processing-url="/j_spring_security_check"
authentication-success-handler-ref="successHandler" />
<logout logout-url="/logout" logout-success-url="/login.html" />
<intercept-url pattern="/admin/**" access="hasRole('adminViewPermission')" />
<intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission')" />
<intercept-url pattern="**/form-management"
access="hasRole('formManagementPermission')" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService" />
</authentication-manager>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.html" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
<beans:bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/authenticate" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
</beans:bean>
<beans:bean id="userDetailsService"
class="com.jack.MyYserDetailsService">
</beans:bean>
</beans:beans>
1 个解决方案
解决方案1
3 2013-01-11 10:45:29
It looks like you want take into account actual domain object for your security rule. 看起来您想要考虑安全规则的实际域对象。 Normal SpringSecurity setup with users and roles can add security rules like this: who (athenticated user with some role) may access to some URL / method invocation. 具有用户和角色的正常SpringSecurity设置可以添加如下安全规则:who(具有某个角色的athenticated用户)可以访问某些URL /方法调用。 If you want to be able use enhanced rules like this: who (athenticated user with some role) may access to some URL / method invocation and what domain objects he can use then you need to use ACL feature . 如果您希望能够使用这样的增强规则:who(具有某个角色的athenticated用户)可以访问某些URL /方法调用以及他可以使用哪些域对象,那么您需要使用ACL功能 。
EDIT. 编辑。 But if you need just one security rule like this then set up ACL may be an overkill. 但是如果你只需要一个像这样的安全规则,那么设置ACL可能是一种过度杀伤力。 You can try enhance your actual SpringSecurity setup by custom web security expression: 您可以尝试通过自定义Web安全表达式增强实际的SpringSecurity设置:
<intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission') and userIsAuthor()" />
Where your userIsAuthor() method will: 您的userIsAuthor()方法将在哪里:
- extract id of the object from the URL (I suppose something like /moderator/item/56 ) 从URL中提取对象的id(我想像/ moderator / item / 56这样 )
- check if current user is an author of an item id = 56. 检查当前用户是否是项目id = 56的作者。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.