CODEWITHSUNDEEP
springgrailsspring-securityconfigroles
MKB
MKB

Reputation: 7619

spring security core secure custom url

I am using grails 2.3.9 and spring-security-core:2.0-RC3 and using staticRules for security.

I have following security configurations in Config file:

grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.mkb.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.mkb.UserRole'
grails.plugin.springsecurity.authority.className = 'com.mkb.Role'
grails.plugin.springsecurity.useSwitchUserFilter = true
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.adh.errorPage = null
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/': ['permitAll'],
    '/index': ['permitAll'],
    '/index.gsp': ['permitAll'],
    '/**/js/**': ['permitAll'],
    '/**/css/**': ['permitAll'],
    '/**/images/**': ['permitAll'],
    '/**/favicon.ico': ['permitAll'],

    '/controllerC/**': ['ROLE_USER'],

    '/**': ['permitAll']
]

there security configurations works fine.

Now I have following URL mappings

"/test/controllerA/$action?/$id?(.${format})?"(controller: 'controllerA')
"/test/controllerB/$action?/$id?(.${format})?"(controller: 'controllerB')

and I required to set the security for the URLs that have /test/, ie., URLs myDomain.com/test/controllerA/** and myDomain.com/test/controllerB/** are accessible to users that have ROLE_ABC role.

I have tried with 

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/': ['permitAll'],
    '/index': ['permitAll'],
    '/index.gsp': ['permitAll'],
    '/**/js/**': ['permitAll'],
    '/**/css/**': ['permitAll'],
    '/**/images/**': ['permitAll'],
    '/**/favicon.ico': ['permitAll'],

    '/test/**': ['ROLE_ABC'],

    '/**': ['permitAll']        
]

but this did not work, any user can access the controllers.

How I define the security?

NOTE:- I cannot use @Secured annotations. I need securities in Config only

Upvotes: 4

Views: 2288

Answers (3)

dmahapatro
dmahapatro

Reputation: 50265

You would have to explicitly specify the controllers in static rules as below:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    ...

    '/controllerA/**': ['ROLE_ABC'],
    '/controllerB/**': ['ROLE_ABC'],

    ....
]

I think this is exactly how you already have for controllerC as 

'/controllerC/**': ['ROLE_USER'],

Refer this answer for details. As the doc suggests, this is also applicable for controller from plugins where @Secured cannot be used if source code is unreachable.

Upvotes: 3

Phat H. VU
Phat H. VU

Reputation: 2360

I suggest you can use Filters in Grails : http://grails.org/doc/latest/guide/theWebLayer.html#filters An example :

class SecurityFilters {
   def filters = {
       loginCheck(controller: '*', action: '*') {
           before = {
              if (!session.user && !actionName.equals('login')) {
                  redirect(action: 'login')
                  return false
               }
           }
       }
   }
}

Upvotes: 2

JiniKJohny
JiniKJohny

Reputation: 1182

You can use the below code if any user can access the controllers.

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    ...
    '/test/**': ['permitAll'],
    ...
]

And for particular user you can use Spring security annotations

Add the below line before the class name.

@Secured(['ROLE_ABC'])

you need to import

import org.springframework.security.access.annotation.Secured

Upvotes: 2

Related Questions