我尝试使用Spring Security ACL强制执行一个新应用,经过阅读后,我对每个ACE的权限都有疑问.我期望,如果主体对域对象实例具有管理权限(16),则能够使用以下注释访问方法:
I try to enforce a new app with spring security ACL and after some reading I have a problem with permissions for every ACE. I was expecting that if a principal has the administration permission (16) over an domain object instance to be able to access a method with this annotation:
@Override @PostFilter("hasPermission(filterObject, 'READ')") public List<Project> findAllProjects() { TypedQuery<Project> tq = em.createNamedQuery("Project:findAll", Project.class); List<Project> projects = tq.getResultList(); return projects; }但是
@PostFilter("hasPermission(filterObject, 'ADMINISTRATION') OR hasPermissions(filterObject,'READ')")似乎有效. 所以,我的问题是:这些权限不是分层的吗? 我的意思是,为什么我必须在具有读取权限的方法上显式指定管理员权限?管理员不是比阅读的大"书吗? 我在想,如果我授予用户管理员权限,则该用户将能够访问比管理员"更低"的操作(C,R,U,D)保护的所有方法/对象.
it seems to work. So, my question is : Aren't these permissions hierarchical? I mean, why do I have to explicit specify admin permission on a method that has read permission? Isn't admin "bigger" than read ? I was thinking that if I grant to a user an admin permission that hte user will be able to access all the methods/objects protected with "lower" operations (C,R,U,D) than admin.
推荐答案简短的回答:不,权限不是现成的分层权限.
Short answer: No, permissions are not hierarchical out-of-the-box.
如果希望它们是分层的,则需要进行PermissionEvaluator或类似的自定义实现.
If you want them to be hierarchical, you need make a custom implementation of PermissionEvaluator or similar.
更多推荐
Spring Security ACL管理权限
发布评论