Spring Security Application Development (15) Hierarchical role system

1.1. Hierarchical role System

Use Spring Security 's hierarchical role architecture simplifies the configuration of complex roles. The configuration process is as follows:

(1) First, you need to http The Access Decision manager is specified in the node.

<!--the correspondence between roles and URL patterns Access-decision-manager-ref: Specifies the Access decision manager to use.  - <sec:httpAuto-config= "true"use-expressions= "true"Access-decision-manager-ref= "Acceessdecisionmanager"  > <Sec:intercept-urlpattern= "/admin/**"Access= "Hasrole (' role_admin ')" /> <Sec:intercept-urlpattern= "/user/**"Access= "Hasrole (' Role_user ')" /> <Sec:intercept-urlpattern= "/home/**"Access= "Hasrole (' Role_user ') or Hasrole (' role_admin ')" />  </sec:http>

(2) Specifies the correspondence between users and roles.

Specifies that the Super user has a role_super role that requires this user to have the role_super role the roles of Role_admin and role_user .

<!--the correspondence between users and roles - <Sec:authentication-manager>   <Sec:authentication-provider>     <Sec:user-service>      <Sec:username= "Zhangsan"Password= "123456"authorities= "Role_admin"/>      <Sec:username= "Wangwu"Password= "123456"authorities= "Role_user"/>      <Sec:username= "Super"Password= "123456"authorities= "Role_super"/>     </Sec:user-service>   </Sec:authentication-provider> </Sec:authentication-manager>

(3) Configure the Access Decision manager.

in the Access Decision Manager, you need to specify the use of the decision-polling device. This article specifies three polling players , namely , Web expression Polling, hierarchical role polling, and authentication polling.

 <!--Acceessdecisionmanager: Access the decision manager. The access decision polling used in the constructor parameter is specified: The Webexpressionvoter:web expression voter, the Hasrole (), and so on to evaluate the poll. Rolehierarchyvoter: Hierarchical role voting device.  Authenticatedvoter: Certified voting device.  - <Beans:beanID= "Acceessdecisionmanager"class= "org.springframework.security.access.vote.AffirmativeBased"> <Beans:constructor-arg>    <beans:list>         <Beans:beanclass= "Org.springframework.security.web.access.expression.WebExpressionVoter">               <Beans:propertyname= "Expressionhandler"ref= "Websecurityexpressionhandler"/>         </Beans:bean>         <Beans:beanclass= "Org.springframework.security.access.vote.RoleHierarchyVoter">               <Beans:constructor-argref= "Rolehierarchy"/>         </Beans:bean>                  <Beans:beanclass= "Org.springframework.security.access.vote.AuthenticatedVoter"/>    </beans:list> </Beans:constructor-arg> </Beans:bean> <!--A Web expression processor that creates an expression evaluation context.  - <Beans:beanID= "Websecurityexpressionhandler"name= "Websecurityexpressionhandler"class= "Org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">        <Beans:propertyname= "Rolehierarchy"ref= "Rolehierarchy"/>    </Beans:bean>    

(4) configures the implementation class for the hierarchical role.

The primary role of the default implementation class for a hierarchical role is to establish a hierarchical relationship of roles based on the configuration of the hierarchical role.

<!--the default implementation of the hierarchical role Role_super has both Role_admin and role_user two roles, that is, having all of their permissions.  - <Beans:beanID= "Rolehierarchy"class= "Org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <Beans:propertyname= "Hierarchy"> <Beans:value>role_super > Role_admin role_super > Role_user</Beans:value> </Beans:property> </Beans:bean>

after the above configuration, use theSuperafter the user logs in, you can access /Home,/user,/adminas well/these four types ofURL. BecauseSuperusers haveRole_superroles, andRole_superafter the role has been established in a hierarchical role relationship, theRole_adminand theRole_userrole. which also hasRole_admin,Role_usertwo roles that can be accessed by anyURL.

Spring Security Application Development (15) Hierarchical role system