Spring MVC Role and Permission to Admin
I am new in spring mvc , In my existing project , there is one admin and they have rights to update data , but now i need to create 2 new admin , admin1 and admin2 that can
-
You need of course two roles. - Then you can either - check for Role
Admin1 or Admin2orAdmin1every where. - But a better approach is already mentioned by you: seperate roles and Privileges: Assign roles to users and privileges to roles, so a User gets its privileges via his roles. Now you just need to check the privleges to allow access to an function.Spring has already an build in 14.4 Hierarchical Roles concept, but I feel that it is clumsy because it requires that every Voter needs to understand it. So I implemented my own solution, that is very simple and is based only on Spring-Security-Roles. So one need only to change the Role Provider but nothing more.
讨论(0) -
You need to create two roles in Spring security with different access.
<http auto-config="true"> <intercept-url pattern="/addData" access="ADMIN_2" /> <intercept-url pattern="/updateData" access="ADMIN_2" /> <intercept-url pattern="/postMessage" access="ADMIN_1" /> </http>讨论(0) -
I had a similar use-case, where the admins might want to create new roles, with arbitrarily assigned permissions to these roles.
If I were to authorize users on the existence of a
ROLE_*in their granted authorities, then the code would need to change every time someone adds a new role, or the business requirements for that role changes.Like @Ralph, I created a library to inject mapped authorities based on
Role to Permissionsbecause I found the hierarchical role implementation lacking...When an Authentication object is injected in the current security session, it will have the original roles/granted authorities. You can provide map the permissions in your UserDetailsService, or JWT Authentication Converter for instance.
The PermissionProvider is called to get the effective permissions for each role the user is a member of. The distinct list of permissions are added as GrantedAuthority items in the Authentication object.
Then I can use permission level authorization in the configuration, and the role to permission mapping can change at runtime.
Concept -
ADMIN1 -> PERM_ADD, PERM_POST ADMIN2 -> PERM_POST, PERM_UPDATEImplementation example -
@Autowired RolePermissionsRepository repository; public void setup1(){ String roleName = "ROLE_ADMIN1"; List<String> permissions = new ArrayList<String>(); permissions.add("PERM_ADD"); permissions.add("PERM_POST"); repository.save(new RolePermissions(roleName, permissions)); } public void setup2(){ String roleName = "ROLE_ADMIN2"; List<String> permissions = new ArrayList<String>(); permissions.add("PERM_UPDATE"); permissions.add("PERM_POST"); repository.save(new RolePermissions(roleName, permissions)); }Then use the permissions for access instead of roles.
<http auto-config="true"> <intercept-url pattern="/addData" access="PERM_ADD" /> <intercept-url pattern="/updateData" access="PERM_UPDATE" /> <intercept-url pattern="/postMessage" access="PERM_POST" /> </http>Or using the authorization annotations -
@PreAuthorize("hasAuthority('PERM_ADD')") @RequestMapping("/add") public String add() { ... }For the source code, see here - https://github.com/savantly-net/spring-role-permissions
讨论(0) -
you have to consider using Spring security to achieve this.check the following
<http auto-config="true"> <intercept-url pattern="/admin*" access="ROLE_ADMIN" /> </http>It means, only user with authority of “ROLE_ADMIN” is allowed to access URI /admin*. If non authorized user try to access it, a “http 403 access denied page” will be displayed.
you have to configure the urls and the allowed access to them
simple example at http://www.mkyong.com/spring-security/spring-security-access-control-example/
讨论(0)
加载中...
- 热议问题