所以我使用spring-security-core获得了标准的grails 2.2.1 app:1.2.7.3。我有一个自定义过滤器,用于验证应用程序受限部分的密码。
如果我点击另一个受限制的URL,我可以看到弹出过滤器链抛出以下异常
Secure object: FilterInvocation: URL: /list; Attributes: [ROLE_USER]
如果用户未登录,则该选项正确,因为他们尚未指定角色。其他过滤器,即/登陆URL限制访问。但是,当用户点击URL
时,不会抛出此内容/press/meta
应用程序配置如此;
Config.groovy中
grails.plugins.springsecurity.interceptUrlMap = [
'/landing/**': ['ROLE_USER','ROLE_ADMIN'],
'/press/**': ['ROLE_USER','ROLE_ADMIN'],
'/list/**': ['ROLE_USER'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
UrlMappings.groovy
"/$controller/$action?/$id?"{
constraints {
// apply constraints here
}
}
"/press/meta" ( view:"/meta/index" )
我的所有控制器和应用功能都按预期工作,但是当我点击网址时
http://localhost:8080/WebSite/press/meta?pass=password1
即使用户未登录,也不会限制访问。但自定义过滤器会验证密码,如果正确则允许用户继续。如果密码是create,则过滤器返回true / false。
日志如下所示;
06,02 18:41:51:097 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/press/meta'; to: '/press/meta'
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/press/meta'; pattern is /**; matched=true
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?pass=password at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
06,02 18:41:51:101 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06,02 18:41:51:115 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Public object - authentication not attempted
06,02 18:41:51:116 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 reached end of additional filter chain; proceeding with original chain
06,02 18:41:51:151 [http-bio-8080-exec-1] DEBUG portal.AdminFilters - Admin secret matched, proceeding
06,02 18:41:51:553 [http-bio-8080-exec-1] DEBUG access.ExceptionTranslationFilter - Chain processed normally
我试图找出最新的做法,在自定义过滤器中做一些弹簧安全逻辑,如果用户没有正确的角色抛出异常,但我宁愿让config.groovy管理这!
感谢任何帮助或建议。
Ĵ
答案 0 :(得分:0)
在spring-security-core v1.2.7.3中,默认的securityConfigType是Annotation。要激活您已定义的URL映射,必须指定此配置参数:
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"