使用spring-security-core在grails 2.4.3上进行静态安全映射

时间:2014-12-23 12:01:57

标签: grails spring-security

使用spring-security-core(2.0-RC4)我遇到静态安全映射问题。

'/app/client/**':                  ['IS_AUTHENTICATED_FULLY'],  
'/app/items/**':                   ['permitAll'],

和这个配置(甚至切换真/假值)

grails.plugin.springsecurity.rejectIfNoRule = true
grails.plugin.springsecurity.fii.rejectPublicInvocations = false

当我尝试访问

/app/items/Books

我得到403/500(取决于配置参数)。我可以访问的唯一方法是当两个配置属性都为假时,所以我以乐观的方法结束,我打算避免。

模式有什么不好吗? 可以告诉我们引擎盖中可能发生的事情吗?

谢谢,

更新:

grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.token.storage.useGorm = true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'com.moviesxd.api.domain.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'tokenValue'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'username'

grails.plugin.springsecurity.securityConfigType = "Annotation"

grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess = true

//Workaround for weird responses when using a bearer token
grails.plugin.springsecurity.rest.token.validation.useBearerToken = false

grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.login.endpointUrl = '/security/login'
grails.plugin.springsecurity.rest.logout.endpointUrl = '/security/logout'
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.usernamePropertyName = 'username'
grails.plugin.springsecurity.rest.login.passwordPropertyName = 'password'
grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'

更新:

'/':                                ['permitAll'],
'/index':                           ['permitAll'],
'/index.gsp':                       ['permitAll'],
'/assets/**':                       ['permitAll'],
'/**/js/**':                        ['permitAll'],
'/**/css/**':                       ['permitAll'],
'/**/images/**':                    ['permitAll'],
'/**/favicon.ico':                  ['permitAll'],

1 个答案:

答案 0 :(得分:0)

由于您使用rejectIfNoRule属性设置为true,因此您无意中阻止了对根URL的访问,即 / 。因此,通过修改这样的规则来允许该规则:

'/':                               ['permitAll'],
'/index':                          ['permitAll'],
'/index.gsp':                      ['permitAll'],
'/app/client/**':                  ['IS_AUTHENTICATED_FULLY'],  
'/app/items/**':                   ['permitAll']

阅读here了解更多信息 希望这有帮助!

谢谢,
SA

相关问题
最新问题