我正在为新产品设计安全子系统。该系统需要以下内容:
- 复杂的用户/组/权限模型,服务级别和域级别 (ACL)
- 上述管理 UI
- 根据用户操作执行的规则(登录失败时禁用帐户、密码复杂性要求等)。
在继续实现 Spring Security (2.x) 缺乏的大部分功能之前,我想知道是否有人熟悉并可以推荐一个可能已经实现/支持这些要求的包?理想情况下,可以将 JAR + WAR 放入项目中并支持所有现成的东西。
谢谢
问问题
976 次
2 回答
1
不完全是您要查找的内容,但您可能有兴趣查看jSecurity。这是一个经过深思熟虑的安全框架,可以处理身份验证、授权和细粒度的权限。但据我所知,就像Spring Security一样,他们尽量不对这些数据的存储和组织方式做出假设。(例如,我没有在数据库中找到用户、角色、权限等的参考实现。)
请注意,JSecurity 项目已永久移至 Apache Software Foundation,现在称为Apache Shiro项目。
于 2009-11-01T17:45:08.377 回答
0
Interesting you asked, I also have a very similar requirement and have been searching this for a while. I gave up and started doing it myself and have some decent progress in the last 2 weeks. Currently I have support for domain ids that are not necessarily Long, it could be anything such as a wild-card string to denote a group of things that could be granted to an authority (ROLE, GROUP, USER) or a String id or even a long. Multiple permission types each with their or sets of permissions can be defined and these permission types could be assigned as supported to a secured entity and the instances be protected by them, so you don't have the limitation of a maximum of 32 possible permissions across the system. Also you could use any actual or virtual entities in the ACL configuration. All this is based on the new (3.0.0.R1) of Spring security with method expression support and it works fairly well. The whole thing uses hibernate so you can take advantage of the transparent persistence and distributed caching. There are lots of rough edges, but being a proof of concept its expected. Anyways let me know if you are interested and we could collaborate to make this useful to us and probably others too.
于 2009-10-28T12:13:42.280 回答