问题
I am trying to implement a web application with spring security. I understand the role based mechanism of spring security and can get it to work. My problem is, in my web app users can create there own groups and add friends (other users of the app) to it. The access to some pages of the user is based on this friends-group. It should work similar to facebook user and groups. How can I implement these custom user groups and the access to users pages with spring security? Is there a default mechanism for this use case? Or should I implement my own DB tables?
回答1:
I am using user groups with ACL mechanism. Basically I make sure that when ACL is created for an object the owner is set. Then when another user tries to access this object the owner's groups are checked to see if there is a match.
This of course means that when user changes his groups then the object 'goes with him'.
If you don't want this behavior you can have group object's ACL as a parent acl for a secure object. Then when a user changes groups you should set the correct entries for group object ACL. This way the secure object is tied to the user group not the user himself.
Spring Security Domain Object Security (ACLs)
来源:https://stackoverflow.com/questions/34851517/spring-security-authorization-for-custom-usergroups