Reputation: 10848
How to use Grails Spring Security Plugin to require logging in before access an action?
I know that I can use annotation or Request mapping to restrict access to an ACTION by some specific ROLES. But now I have a different circumstance.
My scenario is: every user of my site can create posts, and they can make their own post public, private, or only share to some other users. I implement sharing post by a database table PERMISSION, which specify if a user have the right to view a post or not.
The problem arises here is that when a customer access a post through a direct link, how can I determine he/she have the privilege to view it? There's 3 circumstances:
- The post is public, so it can be viewed by anyone (include not-login user)
- The post is private, so only the login-owner can view it
- The post is sharing, it means only the login-user that is shared and the owner can view it.
I want to process like this:
- If the requested post is public: ok.
- If the requested post is private/sharing: I want to redirect the customer to the login page; after logging in, the user will be re-direct to the page he wants to see.
The problem here is that I can redirect the user to login controller/ auth action, but after that I don't know how to redirect it back. The link to every post is different by post_id, so I can't use SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
Could anyone know a way to do this?
Upvotes: 0
Views: 3038
Answers (4)
Reputation: 10848
I have found a quick workaround for this problem:
- If the user is logged in: check the user's privilege, and return the appropriate result.
If the user is not logged in: At view action, set the post_id by:
session.post_id = 8
Redirect the user to the Login Controller/ Auth action.
- At checkrole action(which is my
grails.plugins.springsecurity.successHandler.defaultTargetUrlin Config.groovy), if session.post_id exists, use it to build the link for re-directing to the view action. Before redirecting, clear the session.post_id.
Upvotes: 0
Reputation: 5321
Have you looked at the Grails Spring Security ACL plugin? I don't know it very well, but it's designed to restrict access to particular instances:
http://grails.org/plugin/spring-security-acl
Upvotes: 1
Reputation: 2089
I think you could add your own filter that will be executed before the action is called and do the verification of the post permissions there. You can find more information about Grails Filters here.
Upvotes: 1
Reputation: 52665
Dunno about grails, but spring security has a spring-security-redirect parameter which can be used to redirect the user to the specified url on successful authentication.
Upvotes: 1
Related Questions
- login automatically with Grails Spring Security
- Grails 3 Spring Security Core: grant access only when user not logged in
- Grails Spring Security plugin Access Control/Authorization without Authentication?
- Grails and Spring Security Plugin: Redirecting user upon login based on roles
- Make Authentication needed for a controller in grails
- Applying Spring Security to a plugin
- Grails Spring Security Core Plugin :authentication not required for controller
- Grails Security Plugin
- Grails Spring Security Plugin: Logon directly from the controller
- How to process login with spring security core and grails