Spring Security：如何向经过身份验证的用户添加额外的角色

Question

我有一个与 REST 服务和 Spring Security 配合使用的应用程序。我有基本身份验证，需要硬登录和软登录。

场景是：当用户登录时，他被分配了 ROLE_SOFT 并且可以访问需要 ROLE_SOFT 的 URL，但是如果他想访问需要 ROLE_HARD 的 URL，他必须向指定的 Web 服务发送一些代码或一些东西。

所以我读了这个 Acegi Security: How do i add another GrantedAuthority to Authentication to anonymous user

之后我创建了我的：

public class AuthenticationWrapper implements Authentication
{
   private Authentication original;

   public AuthenticationWrapper(Authentication original)
   {
      this.original = original;
   }


   public String getName() { return original.getName(); }
   public Object getCredentials() { return original.getCredentials(); }
   public Object getDetails() { return original.getDetails(); }   
   public Object getPrincipal() { return original.getPrincipal(); }
   public boolean isAuthenticated() { return original.isAuthenticated(); }
   public void setAuthenticated( boolean isAuthenticated ) throws IllegalArgumentException
   {
      original.setAuthenticated( isAuthenticated );
   }

public Collection<? extends GrantedAuthority> getAuthorities() {
    System.out.println("EXISTING ROLES:");
    System.out.println("Size=:"+original.getAuthorities().size());
    for (GrantedAuthority iterable : original.getAuthorities()) {

        System.out.println(iterable.getAuthority());
    }

    GrantedAuthority newrole = new SimpleGrantedAuthority("ROLE_HARD");
    System.out.println("ADD new ROLE:"+newrole.getAuthority());
    Collection<? extends GrantedAuthority> originalRoles = original.getAuthorities();

     ArrayList<GrantedAuthority> temp = new ArrayList<GrantedAuthority>(originalRoles.size()+1);
     temp.addAll(originalRoles);
     temp.add(newrole); 
     System.out.println("RETURN NEW LIST SIZE"+temp.size());
     for (GrantedAuthority grantedAuthority : temp) {
        System.out.println("NEW ROLES:"+grantedAuthority.getAuthority());
    }

    return Collections.unmodifiableList(temp);
}

和控制器

@Controller
@RequestMapping("/login")
public class LoginControllerImpl implements LoginController {


    LoginService loginService;


    @RequestMapping(method = RequestMethod.GET, headers = "Accept=application/json")
    @ResponseBody
    public User getUserSettings(){
        loginService=new LoginServiceImpl();
        Authentication auth =   SecurityContextHolder.getContext().getAuthentication();
        AuthenticationWrapper wrapper = new AuthenticationWrapper(auth);
        SecurityContextHolder.getContext().setAuthentication( wrapper );

        return loginService.getUser();
    }


}

但是在我更改身份验证后，我的会话停止了.. 也许有人知道更好的解决方案...

Answer 1

只是一个想法.. 如果用户第一次使用登录表单登录并需要访问需要额外权限的资源，那么为什么不第二次将用户重定向回登录页面呢？

    <http auto-config="true" use-expressions="true">
                <intercept-url pattern="/resources/**" access="denyAll"/>
                <intercept-url pattern="/login.do" access="permitAll"/>
                <intercept-url pattern="/role_soft_url_domain/* " access="hasRole('ROLE_SOFT') and fullyAuthenticated"/>
                <intercept-url pattern="/role_hard_url_domain/*" access="hasRole('ROLE_HARD') and fullyAuthenticated"/>             
                <intercept-url pattern="/*" access="hasRole('ROLE_SOFT')"/>
                <form-login login-page="/login.do" />               
                <logout invalidate-session="true"
                    logout-success-url="/"
                    logout-url="/j_spring_security_logout"/>
                </http>