Reputation: 73
Using Spring Security in Grails to restrict content access
Let me start off again again by saying that I am still new to Grails and Spring Security. I have been doing my best to sift through the documentation and examples and samples. It all has made me a bit confused or overwhelmed.
I am trying to use Spring to manage user access to information. I have a site framed. I want the admin to be able to add people, locations connected to the people and images of the locations. The picture is connected to the person. I want the people that log-in to be able to see their pictures, only.
Is it better or best practice to do this with sec tags or @Secure annotations or a combination? Which is the most secure? I have restricted access using sec:tags. Is there a sec:tag I can use to select the pictures to be displayed?
Upvotes: 0
Views: 280
Answers (1)
Reputation: 35864
I think you can look at this in a simpler way. There are basically 3 ways to manage security with the basic plugin install.
- @Secured - This allows you to lock down access to an entire Controller and / or individual actions. Think of this as locking down a URL to a specific set of roles. Changes to this level of security will require a redeploy.
- Request Map - You get the same benefit as @Secured with the added bonus of being able to modify Controller / action security in a running environment vs having to do a redeploy.
- sec tags - These allow you to lock down the rendering of views. For example, to allow an edit button to show up for one role while hiding it for another role. The sec tags are used in combination with the above methods.
That's really basically it. None of the above are more or less secure than the other. What some people seem to confuse is the concept of "my data" and how Spring Security handles that. If, in a Controller, you want a user to be able to access only their "pictures", you should just query for "pictures" based on the authenticated user.
def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
def pictures = Picture.findAllByUser(authenticatedUser)
The view then only cares about what pictures you sent to it. Each logged in user will then only see their pictures. If the admin is logged in, and needs to see ALL the pictures, you might do something like this:
def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
if (SpringSecurityUtils.ifAllGranted("ROLE_ADMIN")) {
def pictures = Pictures.list()
}
However, I'd probably just have a separate Controller for administrative purposes versus trying to do too much logic in one Controller. Or, move the logic to a Service.
Hope this helps.
Upvotes: 3
Related Questions
- Grails 3 Spring Security Core: grant access only when user not logged in
- Grails Spring Security plugin Access Control/Authorization without Authentication?
- Combination of security access constraints using Grails
- Giving access to only User with USER_ROLE Permission
- Restricting a page view using spring security in a grails application
- Spring security - grails restrict with in role
- Grails Springsecurity
- how to prohibit the access to a view or controller in grails
- Hide Content based on User Role?
- spring security in grails