CODEWITHSUNDEEP
grailsspring-security
Hrenpopadesh
Hrenpopadesh

Reputation: 31

Grails spring-security-core plugin tutorial

I am using Grails 2.4.5 and I have created a new application TestSecurity, created a simple controller SercuredController, that is accessible from the interface.

package testsecurity

class SecuredController {

    def index() { 
        render 'HELLO FROM CONTROLLER'
    }
}

Then I added a spring_security_core plugin: I added compile ":spring-security-core:2.0-RC4". Then s2-quickstart com.testapp User Role

Then I start the application and spring_security doesn't allow me to enter http://localhost:8080/TestSecurity/secured/index and ask for the password and login. I haven't added @Secured(['ROLE_ADMIN']) or any other annotations. How to fix this bug?

In tutorial http://grails-plugins.github.io/grails-spring-security-core/guide/single.html#tutorials it is said that without annotation the controller must not be secured and can be accessed.

Config.groovy file looks as follows:

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.testapp.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.testapp.UserRole'
grails.plugin.springsecurity.authority.className = 'com.testapp.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/assets/**':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]

Upvotes: 1

Views: 759

Answers (2)

CyberAleks
CyberAleks

Reputation: 1603

You should use annotations. To secure you controllers. Or change grails.plugin.springsecurity.securityConfigTyp if you don't like annotations.

Read this:

http://grails-plugins.github.io/grails-spring-security-core/guide/requestMappings.html#securedAnnotations

By default all urls are secured. To change this try:

grails.plugin.springsecurity.rejectIfNoRule = false grails.plugin.springsecurity.fii.rejectPublicInvocations = false

Read the documentation for this options:

http://grails-plugins.github.io/grails-spring-security-core/guide/requestMappings.html

ATTENTION:

As Burt Beckwith commented below, it is not a good idea to disable rejectIfNoRule and rejectPublicInvocations. So it is not a recommendation to use this, but it can be helpful if you just want to test something!

Upvotes: 1

Hrenpopadesh
Hrenpopadesh

Reputation: 31

I have used @Secured(['ROLE_ANONYMOUS']) annotation on my controller. And security has started to work.

Upvotes: 2

Related Questions