Setting user roles based on some kind of ownership in Spring Security
In my Spring-based application, I currently have basic roles such as ADMIN, and USER.
Is it possible to define a user role such as PHOTO_UPLOADER, which inherits fr
-
i don't know what types of data accessing technology you are using. i know you can write interceptor or event listener to do the security checking for hibernate. i think ibatis is also the same way. in my project, i wrote CRUD enable interface methods in the parent model/entity class, and doing security check in some events, such as before entity loading. spring security acl is a bit complex. implementing your security solution is more better.
讨论(0) -
You can handle it with ACLs like Tomasz Nurkiewicz suggested. But Spring Securitz ACLs are complex and poor documented. (The best resource I know for it is this Book: Spring Security 3 - by the authors of Spring Security)
But If you really need only this simple
if (currentUser.id == photo.uploader.id)test, then I would recommend an other technique.It is possible to enhance the method security expressions you can use them in @PreAuthorize annotations. Like:
@PreAuthorize("isPhotoOwner(#photo)") public void doSomething(final Photo photo) {To implement such an expression
isPhotoOwnerthe core is really simple:public class ExtendedMethodSecurityExpressionRoot extends MethodSecurityExpressionRoot { public ExtendedMethodSecurityExpressionRoot(final Authentication a) { super(a); } /** * */ public boolean isPhotoOwner(final Photo photoObject) { if (photoObject == null) { return false; } Photo photo = (photo) photoObject; return photo.getCreator().getLogin().equals(authentication.getName()); } }Unfortunaly there is some addtional work to to register the ExtendedMethodSecurityExpressionRoot. --- I have no time at the moment, if you are willing to try this approach, then leave a commment, and I will descripe the rest
讨论(0) -
Welcome in the world of ACLs - access control list. This tutorial is rather old but pretty comprehensive.
讨论(0)
加载中...
- 热议问题