Grails:SpringSecurity roleHierarchy无法按预期工作

时间:2012-06-01 04:12:43

标签: spring grails spring-security roles

我正在使用Grails 2.0.1中的springsecurity插件。我的角色层次结构和其他s2属性如下所示。 

grails.plugins.springsecurity.userLookup.userDomainClassName = 'myApp.security.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'myApp.security.UserRole'
grails.plugins.springsecurity.authority.className = 'myApp.security.Role'
grails.plugins.springsecurity.successHandler.defaultTargetUrl="/index"
grails.plugins.springsecurity.securityConfigType = "Annotation"

//grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.roleHierarchy = '''
    ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
    ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
    ROLE_OWNER > ROLE_USER_WRITE
'''

根据文档,如果我的@secured注释允许ROLE_USER_WRITE,那么所有其他角色也需要被允许访问。同样,如果我要使用标记,则ROLE_OWNER,ROLE_OWNER_TRANSFER_PRIVILEGE和ROLE_ADMIN必须等于true。但是,这不起作用,而是我被迫列出每个角色。我检查了调试日志,看起来像这样

2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - setHierarchy() - The following role hierarchy was set: 
        ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
        ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
        ROLE_OWNER > ROLE_USER_WRITE

2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneStepMap() - From role ROLE_ADMIN one can reach r
ole ROLE_OWNER_TRANSFER_PRIVILEGE in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneStepMap() - From role ROLE_OWNER_TRANSFER_PRIVIL
EGE one can reach role ROLE_OWNER in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneStepMap() - From role ROLE_OWNER one can reach r
ole ROLE_USER_WRITE in one step.
2012-06-01 09:28:14,803 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneOrMoreStepsMap() - From role ROLE_ADMIN one can 
reach [ROLE_OWNER_TRANSFER_PRIVILEGE, ROLE_USER_WRITE, ROLE_OWNER] in one or more steps.
...

似乎正在创建角色层次结构,但在应用程序运行时不会强制执行这些层次结构。我做错了什么,如何根据文档将其工作?

1 个答案:

答案 0 :(得分:1)

roleHierarchies需要有一个完整的树结构才能工作。在我的问题中,我代表了一半的层次结构,结果是一个不完整的树表示。类似的东西:

ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
ROLE_USER > ROLE_READ

此处ROLE_USER和ROLE_USER_WRITE是断开连接的子层次结构,并且在解析权限时,Spring安全性无法解决此问题。

相关问题
最新问题