CODEWITHSUNDEEP
grailsspring-security
sfgroups
sfgroups

Reputation: 19099

Grails Spring Security UI, user and Role management access

I have installed spring-security-core & spring-security-ui. also added testuser in roleadmin.

when I run the application I get all the controllers list, Login controller worked with username & password. but When click other controller its says

'Sorry, you're not authorized to view this page.'

Do I need to add any other role to get the user and role management UI access?

plugin version.

compile ':spring-security-core:2.0-RC2' compile ":spring-security-ui:1.0-RC1"

accessing this URL: //127.0.0.1:8080/sec-test/role/search

here is my screen, after login.

enter image description here

Upvotes: 7

Views: 8911

Answers (7)

burns
burns

Reputation: 1121

As mentioned above, the plugin changed to a pessimistic locking so any thing without a security level defined will throw that 'Sorry, you're not authorized to view this page.' message.

Other answers have already said you can just use the s2ui-override script to generate all the controllers and add the @Secure annotation

grails s2ui-override user com.myApp
grails s2ui-override role com.myApp

then edit to add

import grails.plugin.springsecurity.annotation.Secured
@Secured(['ROLE_ADMIN'])
class UserController ...

But instead of creating a bunch of empty controllers, you can just modify the static rules file in Config.groovy.

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    <snip>
    '/register/**':                   ['permitAll'],
    '/user/**':                       ['ROLE_ADMIN'],
    '/role/**':                       ['ROLE_ADMIN'],

Adding these three lines will make the register controller available to anyone, and the user and role controllers only accessible by ROLE_ADMIN users.

Upvotes: 2

Ishan Sharma
Ishan Sharma

Reputation: 1356

By default grails uses a pessimist approach for url locking, which means that it shows the same message "Sorry you are not authorized to view this URL" if that url is not explicitly white listed. Apart from adding @Secured to your controller you could also add the following to your config/conf.groovy file and white list the URL:

'/action':                    ['ROLE_ADMIN']

'/action' =

url to your action. could also be clubbed with wild cards eg:

'/**/css/**':                 ['permitAll']

['ROLE_ADMIN'] =

the role which can access the url

Upvotes: 2

felleuch
felleuch

Reputation: 51

better method is make anounymous registration by those instructions :

grails s2ui-override auth, grails s2ui-override layout, grails s2ui-override user com.myApp ,grails s2ui-override role com.myApp, grails s2ui-override register com.myApp

and add this to Register controller :

import grails.plugin.springsecurity.annotation.Secured

@Secured(['ROLE_ANONYMOUS'])
class RegisterController extends      grails.plugin.springsecurity.ui.RegisterController {
}

Upvotes: 5

The Anish
The Anish

Reputation: 19

at config.groovy

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/':                              ['permitAll'],
'/**':                              ['permitAll'],
'/index':                         ['permitAll'],
'/user/search':                   ['permitAll'],
'/plugins/jquery-ui-1.10.3/**':   ['permitAll'],
'/index.gsp':                     ['permitAll'],
'/assets/**':                     ['permitAll'],
'/**/js/**':                      ['permitAll'],
'/**/css/**':                     ['permitAll'],
'/**/images/**':                  ['permitAll'],
'/**/favicon.ico':                ['permitAll']

This allows to grant access to all these.. you can also manually configure it.

Upvotes: 0

Wac
Wac

Reputation: 688

First create your roles and test user in BootStrap.groovy:

import springsecurity.User
import springsecurity.Role
import springsecurity.UserRole

class BootStrap {

    def init = { servletContext ->

        def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush: true)
        def userRole = new Role(authority: 'ROLE_USER').save(flush: true)

        def testUser = new User(username: 'testusername', password: '1234')
        testUser.save(flush: true)

        UserRole.create testUser, adminRole, true

        assert User.count() == 1
        assert Role.count() == 2
        assert UserRole.count() == 1

    }
    def destroy = {
    }
}

Then override as suggested:

grails s2ui-override auth
grails s2ui-override layout
grails s2ui-override user package.name
grails s2ui-override role package.name

Finally added the secured annotations to your controllers, i.e.:

package springsecurity
import grails.plugin.springsecurity.annotation.Secured

@Secured(['ROLE_ADMIN'])
class RoleController extends grails.plugin.springsecurity.ui.RoleController {
}

Upvotes: 6

sfgroups
sfgroups

Reputation: 19099

After installing the plugins I need to run this s2ui-override to create the controllers in the application

grails s2ui-override auth
grails s2ui-override layout
grails s2ui-override user com.myApp
grails s2ui-override role com.myApp

This page was help full.

http://ajibrans.wordpress.com/2012/02/04/spring-security-plugin-with-grails-1-3-7/

Upvotes: 1

Naresha
Naresha

Reputation: 199

user-role mapping is done in UserController.

URL - http://127.0.0.1:8080/sec-test/user

Upvotes: 0

Related Questions