有點老,但可能出現在手爲別人想組:
在用戶等級:
Set<RoleGroup> getAuthorities() {
(UserRoleGroup.findAllByUser(this) as List<UserRoleGroup>)*.roleGroup as Set<RoleGroup>
}
Set<Role> getRoles() {
(UserRoleGroup?.findAllByUser(this)?.roleGroup?.authorities.collect{it}?.flatten() ?: oldRoles) as Set<Role>
}
List<String> getRoleNames() {
(UserRoleGroup?.findAllByUser(this)?.roleGroup?.collect{it.authorities.authority}?.flatten()?: oldRoles.authority) as List<String>
}
//Above will look up from userRoleGroup roleGroup.authorities = UserRole below
Set<Role> getOldRoles() {
(UserRole.findAllByUser(this) as List<Role>)*.role as Set<Role>
}
使用角色我一直即使組啓用和驗證對舊oldRoles方法:
import grails.plugin.springsecurity.userdetails.GormUserDetailsService
import grails.transaction.Transactional
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
import org.springframework.security.core.Authentication
import org.springframework.security.core.GrantedAuthority
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.core.context.SecurityContextHolder
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.core.userdetails.UsernameNotFoundException
class MySpringSecurityAuthenticator extends GormUserDetailsService{
UserDetails loadUserByUsername(String username, boolean loadRoles)
throws UsernameNotFoundException {
return loadUserByUsername(username)
}
@Transactional
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//enable login with either username or password
User user = User.find {
username == username || attributes.emailAddress == username || userCode == username
}
//if (!user) throw new UsernameNotFoundException('User not found', username)
if (!user) throw new UsernameNotFoundException('User not found')
return loadUserByUsername(user)
}
@Transactional
UserDetails loadUserByUsername(User user) throws UsernameNotFoundException {
if (!user) throw new UsernameNotFoundException('User not found')
//UserDetails.withNewSession {
//getAuthorities(user.oldRoles)
UserDetails userDetails = new org.springframework.security.core.userdetails.User(user.username, user.password,
user.enabled, !user.accountExpired, !user.passwordExpired, !user.accountLocked,getAuthoritiesFromGroup(user.authorities))
Authentication authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities())
SecurityContextHolder.getContext().setAuthentication(authentication)
return userDetails
//}
}
public static List<GrantedAuthority> getAuthoritiesFromGroup(Set<RoleGroup> roles) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>()
roles?.each { role ->
println "-- role = ${role} vs ${role.getClass()}"
authorities.add(new SimpleGrantedAuthority(role.name))
}
return authorities
}
public static List<GrantedAuthority> getAuthorities(Set<Role> roles) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>()
roles?.each { role ->
println "-- role = ${role} vs ${role.getClass()}"
authorities.add(new SimpleGrantedAuthority(role.authority))
}
return authorities
}
}
,並在我的春天/ resources.groovy:
userDetailsService(MySpringSecurityAuthenticator){
grailsApplication = ref('grailsApplication')
}
什麼上面一直做迄今爲止要回用戶角色和將其添加到通過認證處理.. getAuthorities(user.oldRoles)
我現在已經改變了上面的方法通過在組名稱閱讀getAuthoritiesFromGroup(user.authorities)作爲其版本的一側(效果)我使用
這只是解析組名稱還必須包括文字ROLE_GROUPNAME
所以,現在如果創建
@Transactional
def grantPermission(User user, String role='ROLE_ADMIN', String group='ROLE_SUPERGROUP') {
def adminRole = Role.findByAuthority(role)
if (!adminRole) {
adminRole = new Role(authority: role).save(flush: true)
}
UserRole.create user, adminRole, true
def adminRoleGroup = RoleGroup.findByName(group)
if (!adminRoleGroup) {
adminRoleGroup = new RoleGroup(name: group).save(flush: true)
}
def adminRoleGroupRole = RoleGroupRole.findByRole(adminRole)
if (!adminRoleGroupRole) {
adminRoleGroupRole = new RoleGroupRole(role: adminRole, roleGroup: adminRoleGroup).save(flush: true)
}
def alreadyDone = UserRoleGroup.findByUserAndRoleGroup(user,adminRoleGroup)
if (!alreadyDone) {
new UserRoleGroup(user: user, roleGroup: adminRoleGroup).save(flush: true)
}
}
我期待着對組名稱,而不是用戶角色的驗證,總之我有我的控制器更改爲
@Secured("hasAnyRole('ROLE_SUPERGROUP')")
希望這是有道理的應該是直截了當地遵循只是需要時間去你的頭圍繞着這一切..
在這一點上,我仍然玩耍,我不會用作具體的答案,因爲我有點黑客它說我的團體加入我的權威,如果我想我可以增加另一個鉤子去進一步通過每個組和每個實際角色進入它 - 不確定會產生什麼 - 目前
我想將其更改爲requestMaps並將其移至db以便更改並決定是否應該恢復或使用組我知道這種方式我可以在控制器上配置較少的名稱並依賴組名..
無論哪種方式,它的所有的引擎蓋下,幾年上給你一個明確的想法,但可能會派上用場他人
更新 所以我決定去: ,getAuthorities(user.roles)
,其中的代碼
原因以上位內Set<Role> getRoles() {
方法很簡單:
results?.each {
it.user=User.get(it.id)
println "-- \n${it.id}:${it.user.roles} \n${it.id}:${it.user.oldRoles}"
7:[Role(authority:ROLE_ADMIN), Role(authority:ROLE_ADMINAHHA)]
7:[Role(authority:ROLE_ADMIN)]
正如你可以看到我添加使用getOldRoles一個新的用戶,我只看到了getRoles我得到2 1起的作用角色..我添加了2個角色的用戶..
因此,現在將解析所有用戶角色並將它們添加到List<GrantedAuthority>
身份驗證仍將通過以前生成的實際ROLE名稱進行。
當我從用戶這應該停止加載該用戶的許可禁止一組它只是意味着..
那是什麼模型應該做