1. 技术文章
  2. Granting permissions in Spring Security ACL

Granting permissions in Spring Security ACL

本秂侑毒 提交于 2019-12-23 17:21:27

问题


I am using the Spring Security ACL plugin in grails 1.3.7, but my question is probably more generic than that: I would like to allow users who have BasePermission.READ access to an object to be able to grant that same permission to other users. If user1 has read access to a document, he should be able to share that with user2, and thereby give him read access to the same document.

When the document is first created, user1 is granted read access, so I see this in the log:

DEBUG   grails.app.service.org.grails.plugins.springsecurity.service.acl.AclUtilService     Added permission BasePermission[...............................R=1] for Sid PrincipalSid[User user1] for com.fxpal.ara.Document with id 1

Then I try to grant the READ permission to user2 while authenticated as user1, I get this exception:

org.springframework.security.acls.model.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs

So my questions are: 1. Is having BasePermission.ADMINISTRATION required to allow users to grant permissions to other users? 2. Is there some other way to grant permissions while having only partial permissions? Where is this policy implemented, and can it be replaced?

Update:

Well, I thought I could add a new implementation of AclAuthorizationStrategy which defines the method public void securityCheck(Acl acl, int changeType), but this method doesn't take the requested permission as a parameter, foiling my strategy of checking for compatible permissions. The next thing to do would be to re-implement AclImpl to use different logic. Seems like a shame to repeat most of the same code...


回答1:


You can fix this issue by either creating the 

<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
     <constructor-arg>
         <bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">
              <constructor-arg>
                   <value>ROLE_ADMINISTRATOR</value>
              </constructor-arg>
         </bean>
     </constructor-arg>
</bean>

Here the ROLE_ADMINISTRATOR should be the Role which the Logged in User object has as part of authorities. Basically Anyone with this Role can manage Permissions.



来源:https://stackoverflow.com/questions/6134380/granting-permissions-in-spring-security-acl

标签
spring-security
acl
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!