1

我正在使用 Spring Security 3.1.4。

我有一个 UsersManager 类如下:

public class UsersManager {

@Secured("ROLE_ADMIN")
public void update(User user){
    ....
            ....
}
}

public class User{
    Integer id;
    String name;
    Integer departmentId;

}

要求如下:一个用户只能更新他所在部门的用户。考虑到用户依赖于安全会话,有没有办法用 Spring Security 做到这一点?

4

1 回答 1

1

You need to extend org.springframework.security.core.userdetails.User and add to it departmentId property. Then ensure that this object is used by Spring Security as principal (provide your UserDetailsService, set departmentId at the moment of login). Then you can do:

@PreAuthorize("hasRole('ROLE_ADMIN') and #principal.departmentId==#user.departmentId")
public void update(User user){
于 2013-07-04T14:35:28.910 回答