开发者

Criteria based authorization check with spring security?

开发者_开发知识库

How does spring security support dynamic role & permission? For example, the role can be generated at runtime by end users. Each role can include multiple permissions which can be created/updated at runtime. Each permission is base on criteria like delete topic if no activity for 3 months. The ACL of spring security can't support it since records of acl_entry are static instead of dynamic. How to customize spring security to support such requirement?


Spring Security 3 supports expression based authorization: it allows you to express secuirty constraints as arbitrary expressions in Spring Expression Language. By default you can use methods of SecurityExpressionRoot in these expressions.

However, you can add your own methods by customizing MethodSecurityExpressionHandler.createEvaluationContext(), so that you can define arbitrary criteria and use them in these expressions. Also see What's the difference between @Secured and @PreAuthorize in spring secu 3 ?.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜