问题描述
类似于下面提到的问题
Similar to the problem mentioned as below How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar
我正在尝试使用ACL Spring Security解决以下情况
I am trying to solve below scenario Using acl spring security
我们有一个方案可以将学生的结果分享给教师组.在这种情况下,只有教师对Result对象具有读取权限时,他才能看到教师的结果.如果我们需要将结果分享给教师组组中有10个具有读取权限的成员,我们需要在ACL_Entry表中提供10个整数.这会变得很复杂,因为条目会随着组成员的增加和权限的增加而增加.还有其他方法,例如,如果我将结果共享给组中只有一个acl条目,该组具有对结果对象具有读取权限的组,教师将自动使用该条目获得对对象的读取权限.您还可以举例说明架构如何.
We got a scenario to share the students result to group of teachers.In this scenario when a teacher login he can see the result only if teacher have read permission on Result object.If we need to share the result to group of teachers having 10 members in the group with read permission we need to give 10 entires in ACL_Entry table .This would be complicated as entries will increase with increase in group members and increase in permissions.Is there any other way such that if i share the result to group there will only one acl entry with group having read permission on result object with which automatically the teachers should get permission to read the object.Can you also explain with example how the schema would be.
请帮助
推荐答案
为解决上述问题,我使用了以下方法.我的架构中有用户表和user_role表.我在安全上下文中使用db作为身份验证管理器.
To sort out the above problem I used below approach.I have users and user_role table in my schema.I m using db as authenticion manager in security context.
SchoolA已经是我的应用程序的用户.每当将老师添加到schoolA组中时.我都会将schoolA与用户角色一起添加到老师中,同时将结果对象共享给具有阅读权限的schoolA组.我将schoolA视为GrantedAuthoritySid而不是PrincpalSid.因此,对于ACL_SID表中的SchoolA sid,principal列将为false.每当老师登录并获取结果时,我们都会检查老师是否对结果对象具有读取权限,但是由于老师具有schoolA角色而schoolA角色具有读取权限.当老师登录时,我可以得到结果对象.这样,我解决了上面的问题.
SchoolA is already the user of my application.Whenever a teacher is added to schoolA Group .I m adding schoolA as role to the teacher along with user role.while sharing result object to the schoolA group with read permission .I m considering schoolA as a GrantedAuthoritySid instead of PrincpalSid. So principal column will be false for SchoolA sid in ACL_SID table.Whenever teacher logs in while getting the results we check whether the teacher has read permission on the result object.but as teacher has schoolA role and schoolA role is having read permission. I m able to get the result object when teacher logs in. In this way I solved my above problem.
这篇关于如何实现ACL Spring Security以在用户组之间共享对象而不在ACL_Entry表中创建很多条目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!