Grails spring security拒绝访问其他插件

时间:2014-10-28 11:32:30

标签: grails spring-security grails-plugin

关于grails 2.4.3项目我正在使用Spring Security Core插件(2.0RC4)和另一个插件调用Feature Flipping。

我的所有控制器都已正确保护,身份验证正常运行。

“功能翻转”插件会显示/admin/feature URI,允许用户切换网络。

我尝试配置静态规则以仅允许ROLE_ADMIN个用户访问此资源,但我仍然收到“拒绝访问”错误。

有什么想法吗?

我的staticRules:

'/admin/**':                  ['ROLE_ADMIN']

SpringSecurity调试日志:

2014-10-28 17:15:47,805 [http-bio-8080-exec-4] DEBUG matcher.AntPathRequestMatcher  - Request '/admin/features' matched by universal pattern '/**'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository  - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@2116e65: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2116e65: Principal: [REDACTED].security.UserDetails@f9520f8b: Username: pygillier; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 7FF242941B7F95FD17E97D8611B3A5CF; Granted Authorities: ROLE_ADMIN, ROLE_USER'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 5 of 8 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 6 of 8 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy  - /admin/features at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-10-28 17:15:47,807 [http-bio-8080-exec-4] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /admin/features; Attributes: [_DENY_]

2 个答案:

答案 0 :(得分:1)

我会根据我已经从你那里获得的信息给出一个镜头。如果您没有指定securityConfigType,Grails Spring Security插件将默认在控制器类上使用Annotations。如果是这种情况(或者您因为想要明确使用Annotations),那么您有几个选择:

  1. grails.plugin.springsecurity.rejectIfNoRule设为false。建议不要这样做,因为它可能会使所有未明确保护的其他URL保持打开状态。但是,它可能适合开发。
  2. 如果我的假设是正确的,您可能正在使用不正确的静态规则配置。如果使用注释,则必须将静态规则映射定义为配置项grails.plugin.springsecurity.controllerAnnotations.staticRules
  3. 因此,您的配置应该如下所示:

    grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        '/admin/**':                      ['ROLE_ADMIN']
    ]
    

    作为参考,这是line of code给了我一个关于这里发生了什么的提示。这告诉我,Spring Security插件无法找到您定义的'ROLE_ADMIN'属性,并且rejectIfNoRule设置为true(这是默认值)。

答案 1 :(得分:0)

好的,

我对插件的控制器名称&网址不同。

插件的控制器名称为FeatureSwitchAdmin并映射为/admin/features,在我需要设置的staticRules中

'/featureswitchadmin/**':              ['ROLE_ADMIN']

获取有效的凭证。

(找到了@rmlan线索和official doc的解决方案)