我的环境
我的简单API在没有命名空间的情况下工作正常但在我向控制器添加命名空间时开始返回403。即使我为 X-Auth-Token 传递了有效值,我也会收到403。
AuthorController.groovy
package bookstore
import grails.plugin.springsecurity.annotation.Secured import
grails.rest.RestfulController
@Secured(['IS_AUTHENTICATED_FULLY'])
class AuthorController extends RestfulController {
static namespace = "testing"
static responseFormats = ['json', 'xml']
AuthorController() {
super(Author)
}
}
UrlMappings.groovy
"/authors"(resources:"author", namespace:"testing")
登录
我打开了安全代码的日志记录,并使用命名空间记录了以下内容:
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG util.AntPathRequestMatcher - Request '/authors' matched by universal pattern '/**'
DEBUG web.FilterChainProxy - /authors at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG web.FilterChainProxy - /authors at position 2 of 10 in additional filter chain; firing Filter: 'RestLogoutFilter'
DEBUG rest.RestLogoutFilter - Actual URI is /authors; endpoint URL is /logout
DEBUG web.FilterChainProxy - /authors at position 3 of 10 in additional filter chain; firing Filter: 'MutableLogoutFilter'
DEBUG web.FilterChainProxy - /authors at position 4 of 10 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
DEBUG rest.RestAuthenticationFilter - Actual URI is /authors; endpoint URL is /login
DEBUG web.FilterChainProxy - /authors at position 5 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG web.FilterChainProxy - /authors at position 6 of 10 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter'
DEBUG web.FilterChainProxy - /authors at position 7 of 10 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
DEBUG web.FilterChainProxy - /authors at position 8 of 10 in additional filter chain; firing Filter: 'RestTokenValidationFilter'
DEBUG rest.RestTokenValidationFilter - Looking for a token value in the header 'X-Auth-Token'
DEBUG rest.RestTokenValidationFilter - Token found: xxxxxxxxxxxxxxxxx
DEBUG rest.RestTokenValidationFilter - Trying to authenticate the token
DEBUG rest.RestAuthenticationProvider - Trying to validate token xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService - Searching in Memcached for UserDetails of token xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService - UserDetails found: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities:
DEBUG rest.RestAuthenticationProvider - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: N/A; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
DEBUG rest.RestTokenValidationFilter - Token authenticated. Storing the authentication result in the security context
DEBUG rest.RestTokenValidationFilter - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities:
DEBUG rendering.DefaultRestAuthenticationTokenJsonRenderer - Generated JSON:
{
"username": "username",
"token": "xxxxxxxxxxxxxxxxx",
"roles": []
}
DEBUG rest.RestTokenValidationFilter - Actual URI is /authors; validate endpoint URL is /validate
DEBUG rest.RestTokenValidationFilter - Continuing the filter chain
DEBUG web.FilterChainProxy - /authors at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG web.FilterChainProxy - /authors at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /authors; Attributes: [_DENY_]
DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities:
in zero or more steps.
DEBUG access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
Message: Access is denied
Line | Method
->> 47 | decide in grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 88 | processFilterChain in com.odobo.grails.plugin.springsecurity.rest.RestTokenValidationFilter
| 58 | doFilter . . . . . in ''
| 53 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 108 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter
| 82 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 66 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter
| 82 | doFilter in com.brandseye.cors.CorsFilter
| 1145 | runWorker . . . . in java.util.concurrent.ThreadPoolExecutor
| 615 | run in java.util.concurrent.ThreadPoolExecutor$Worker
^ 744 | run . . . . . . . in java.lang.Thread
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
然后我查看了删除了命名空间的日志记录。在我进入 FilterSecurityInterceptor :
之前,一切都是一样的DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /authors; Attributes: [IS_AUTHENTICATED_FULLY]
DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities:
in zero or more steps.
DEBUG intercept.FilterSecurityInterceptor - Authorization successful
DEBUG intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
DEBUG web.FilterChainProxy - /authors reached end of additional filter chain; proceeding with original chain
DEBUG access.ExceptionTranslationFilter - Chain processed normally
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
有人可以解释为什么当我的被控制器具有命名空间时,我会获得 DENY 。我想尝试对我的Web服务进行版本控制,并且需要命名空间。我整天都在看这个,但似乎无法取得任何进展。
提前致谢。
答案 0 :(得分:2)
插件中不支持命名空间控制器,请参阅http://jira.grails.org/browse/GPSPRINGSECURITYCORE-246。它可能会在2.0最终版本中实现。