Spring Security:如何向经过身份验证的用户添加额外角色

时间:2011-12-05 10:52:57

标签: java security spring-security

我有一个可以使用REST服务和弹簧安全性的应用程序。我有基本身份验证,我需要硬登录和软登录。

场景是:当用户登录时,他被分配了ROLE_SOFT 并且可以访问需要ROLE_SOFT的URL,但是如果他想要访问需要ROLE_HARD的URL,他必须向指定的Web服务发送一些代码或其他东西。

所以我读了这个 Acegi Security: How do i add another GrantedAuthority to Authentication to anonymous user

之后我创建了我的:

public class AuthenticationWrapper implements Authentication
{
   private Authentication original;

   public AuthenticationWrapper(Authentication original)
   {
      this.original = original;
   }


   public String getName() { return original.getName(); }
   public Object getCredentials() { return original.getCredentials(); }
   public Object getDetails() { return original.getDetails(); }   
   public Object getPrincipal() { return original.getPrincipal(); }
   public boolean isAuthenticated() { return original.isAuthenticated(); }
   public void setAuthenticated( boolean isAuthenticated ) throws IllegalArgumentException
   {
      original.setAuthenticated( isAuthenticated );
   }

public Collection<? extends GrantedAuthority> getAuthorities() {
    System.out.println("EXISTING ROLES:");
    System.out.println("Size=:"+original.getAuthorities().size());
    for (GrantedAuthority iterable : original.getAuthorities()) {

        System.out.println(iterable.getAuthority());
    }

    GrantedAuthority newrole = new SimpleGrantedAuthority("ROLE_HARD");
    System.out.println("ADD new ROLE:"+newrole.getAuthority());
    Collection<? extends GrantedAuthority> originalRoles = original.getAuthorities();

     ArrayList<GrantedAuthority> temp = new ArrayList<GrantedAuthority>(originalRoles.size()+1);
     temp.addAll(originalRoles);
     temp.add(newrole); 
     System.out.println("RETURN NEW LIST SIZE"+temp.size());
     for (GrantedAuthority grantedAuthority : temp) {
        System.out.println("NEW ROLES:"+grantedAuthority.getAuthority());
    }

    return Collections.unmodifiableList(temp);
}

和控制器

@Controller
@RequestMapping("/login")
public class LoginControllerImpl implements LoginController {


    LoginService loginService;


    @RequestMapping(method = RequestMethod.GET, headers = "Accept=application/json")
    @ResponseBody
    public User getUserSettings(){
        loginService=new LoginServiceImpl();
        Authentication auth =   SecurityContextHolder.getContext().getAuthentication();
        AuthenticationWrapper wrapper = new AuthenticationWrapper(auth);
        SecurityContextHolder.getContext().setAuthentication( wrapper );

        return loginService.getUser();
    }


}

但在我更改身份验证后,我的会话失败了.. 也许有人知道更好的解决方案......

1 个答案:

答案 0 :(得分:0)

只是一个想法..如果用户第一次使用登录表单登录并且需要访问资源,则需要额外的权限,那么为什么不再将用户重定向回登录页面?

    <http auto-config="true" use-expressions="true">
                <intercept-url pattern="/resources/**" access="denyAll"/>
                <intercept-url pattern="/login.do" access="permitAll"/>
                <intercept-url pattern="/role_soft_url_domain/* " access="hasRole('ROLE_SOFT') and fullyAuthenticated"/>
                <intercept-url pattern="/role_hard_url_domain/*" access="hasRole('ROLE_HARD') and fullyAuthenticated"/>             
                <intercept-url pattern="/*" access="hasRole('ROLE_SOFT')"/>
                <form-login login-page="/login.do" />               
                <logout invalidate-session="true"
                    logout-success-url="/"
                    logout-url="/j_spring_security_logout"/>
                </http>
相关问题
最新问题