我正在使用Grails 2.0.1中的springsecurity插件。我的角色层次结构和其他s2属性如下所示。
grails.plugins.springsecurity.userLookup.userDomainClassName = 'myApp.security.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'myApp.security.UserRole'
grails.plugins.springsecurity.authority.className = 'myApp.security.Role'
grails.plugins.springsecurity.successHandler.defaultTargetUrl="/index"
grails.plugins.springsecurity.securityConfigType = "Annotation"
//grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.roleHierarchy = '''
ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
'''
根据文档,如果我的@secured注释允许ROLE_USER_WRITE,那么所有其他角色也需要被允许访问。同样,如果我要使用标记,则ROLE_OWNER,ROLE_OWNER_TRANSFER_PRIVILEGE和ROLE_ADMIN必须等于true。但是,这不起作用,而是我被迫列出每个角色。我检查了调试日志,看起来像这样
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - setHierarchy() - The following role hierarchy was set:
ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneStepMap() - From role ROLE_ADMIN one can reach r
ole ROLE_OWNER_TRANSFER_PRIVILEGE in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneStepMap() - From role ROLE_OWNER_TRANSFER_PRIVIL
EGE one can reach role ROLE_OWNER in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneStepMap() - From role ROLE_OWNER one can reach r
ole ROLE_USER_WRITE in one step.
2012-06-01 09:28:14,803 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneOrMoreStepsMap() - From role ROLE_ADMIN one can
reach [ROLE_OWNER_TRANSFER_PRIVILEGE, ROLE_USER_WRITE, ROLE_OWNER] in one or more steps.
...
似乎正在创建角色层次结构,但在应用程序运行时不会强制执行这些层次结构。我做错了什么,如何根据文档将其工作?
答案 0 :(得分:1)
roleHierarchies需要有一个完整的树结构才能工作。在我的问题中,我代表了一半的层次结构,结果是一个不完整的树表示。类似的东西:
ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
ROLE_USER > ROLE_READ
此处ROLE_USER和ROLE_USER_WRITE是断开连接的子层次结构,并且在解析权限时,Spring安全性无法解决此问题。