Spring安全角色分配

时间:2014-04-14 17:34:04

标签: java spring security spring-security

JEE容器通常提供使用专有部署描述符将外部映射到内部用户角色的机制。也就是说,应用程序在web.xml中声明并使用内部角色,并且有一个文件(例如weblogic的weblogic.xml)将分配给用户的实际角色映射到内部角色。

使用Spring Security时如何实现这种映射?我正在使用Spring Security 3.0.x。

1 个答案:

答案 0 :(得分:1)

Spring Security 3.0.x.没有提供开箱即用的这种映射。

但您可以通过扩展用于身份验证方法的身份验证提供程序来自行实现它。

如果您使用DaoAuthenticationProvider(使用internaly a UserDetailsService),则可以覆盖addCustomAuthorities(String username, List<GrantedAuthority> authorities)方法,以根据已授予的一次添加新/映射角色。

例如扩展UserDetailsService

...
@Override
protected void addCustomAuthorities(String username, List<GrantedAuthority> authorities) {
    super.addCustomAuthorities(username, authorities);

    List<GrantedAuthority> additional = new ArrayList<GrantedAuthority>();
    for (GrantedAuthority role : authorities) {
        additional .addAll(vourMappingService.getAdditionalForRole(role));
    }
    authorities.addAll(additional );
}

使用YourMappingService来映射角色(通过向现有角色添加新角色)

public class YourMappingService


 /**
     * Property bases mapping of roles to privileges.
     * Every role is one line, the privileges are comma separated.
     */
    private Properties roleToPrivileges;

    public YourMappingService(Properties roleToPrivileges) {
        if (roleToPrivileges == null) {
            throw new IllegalArgumentException("roleToPrivileges must not be null");
        }
        this.roleToPrivileges = roleToPrivileges;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAdditionalForRole(GrantedAuthority role) {

        String authority = role.getAuthority();
        if(authority != null) {
            String commaSeparatedPrivileges = roleToPrivileges.getProperty(role.getAuthority());
            if (commaSeparatedPrivileges != null) {
                List<GrantedAuthority> privileges = new ArrayList<GrantedAuthority>();
                for(String privilegeName : StringUtils.commaDelimitedListToSet(commaSeparatedPrivileges)) {
                    privileges.add(new GrantedAuthorityImpl(privilegeName.trim()));
                }                
                return privileges;
            } else {
                return Collections.emptyList();
            }
        } else {
            return Collections.emptyList();
        }
    }   
}

配置:

<bean id="myUserDetailsService" class="de.humanfork.springsecurityroles.impl.JdbcDaoPrivilegesImpl">
    <constructor-arg ref="yourMappingService"/>
    <property name="dataSource" ref="dataSource"/>
    <property name="usersByUsernameQuery" value="SELECT login,encryptedPassword,loginEnabled FROM user WHERE login = ?"/>
    <property name="enableAuthorities" value="true"/>
    <property name="authoritiesByUsernameQuery" value="SELECT u.login, r.securityRoles FROM user u, user2security_roles r WHERE u.login= ? AND u.id = r. User_fk;"/>
</bean>


  <bean id="yourMappingService" class="ZourMappingService">
    <constructor-arg>
        <props>
        <prop key="ROLE_ADMIN">
                ROLE_backend_access,
                ROLE_user_mngt,
                ROLE_passwordLostRequest_mngt,
                ROLE_log_mngt
            </prop>
            <prop key="ROLE_USER">
            </prop>
        </props>
    </constructor-arg>
</bean>
相关问题
最新问题