java - Spring Security hasRole() 对于未经身份验证的用户，考虑角色层次结构

Question

我的 Spring Boot 2 + Spring Security 应用程序中有一个角色层次结构:

@Bean
public RoleHierarchy roleHierarchy() {
    var rh = new RoleHierarchyImpl();
    rh.setHierarchy("ROLE_ADMIN > ROLE_USER and ...");

    return rh;
}

现在我(作为管理员)想要代表另一个用户创建一个实体，但我应该根据上述层次结构检查该用户是否具有一定的权限。

我知道有可能 call spring security hasRole()对于当前经过身份验证的用户，但就我而言，我想要授权的用户未经过身份验证。

现在，我可以检查用户是否具有该特定权限:

public boolean hasAuthority(User user, String authority) {
    return user.getAuthorities()
            .stream()
            .anyMatch(grantedAuthority -> grantedAuthority.getName().equals(authority));
}

但是这样相当长的层次结构将被忽略。

如果有任何帮助，我将不胜感激。

Answer 1

您可以使用角色层次结构，请参阅 RoleHierarchy#getReachableGrantedAuthorities :

Collection<? extends GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) 

Returns an array of all reachable authorities.

Reachable authorities are the directly assigned authorities plus all authorities that are (transitively) reachable from them in the role hierarchy.

Example: Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C.
Directly assigned authority: ROLE_A.
Reachable authorities: ROLE_A, ROLE_B, ROLE_C.

Parameters:

authorities - List of the directly assigned authorities.

Returns:

List of all reachable authorities given the assigned authorities.

您修改后的代码:

public boolean hasAuthority(User user, String authority) {
    return roleHierarchy()
        .getReachableGrantedAuthorities(user.getAuthorities())
        .stream()
        .anyMatch(grantedAuthority -> grantedAuthority.getName().equals(authority));
}