adding new role to already authenticated user (without logging him out)
I'm using Spring Security, and in some cases after logging in user can make some actions which should gave him access to some resources, so ideally i开发者_如何转开发t should be done via giving this user a new role. But, the authorities inside org.springframework.security.core.userdetails.User class are unmodifiable Set. So no any changes are allowed in the given list of roles. How usually (I'm sure it's quite common, normal behaviour) developers do in this case?
A valid approach would be to look at your roles and think if they make sense. Maybe you need to have more roles, so users are allowed to do everything right after login. I think you might need to "break in smaller pieces your roles".
You are not allowed to modified roles after logon. And you are not meant to do so. That would be a security threat to the platform.
I authenticate as a plain user. Execute some code and become admin.
That's what I think that you should reissue the login.
Udo.
精彩评论