grails-spring-security-rest插件和悲观锁定

时间:2015-02-10 00:24:17

标签: rest grails spring-security grails-plugin

我有一个Grails项目,主要是一个REST API。我定义的端点在没有spring安全性的情况下工作正常,所有url都可以访问并且响应正常。 因此,转向身份验证,我安装了grails-spring-security-rest插件。 这是配置:

Config.groovy中

grails.plugin.springsecurity.filterChain.chainMap = [
        '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',  // Stateless chain
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                                                          // Traditional chain
]

grails.plugin.springsecurity.userLookup.userDomainClassName = 'transportados.backend.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'transportados.backend.UserRole'
grails.plugin.springsecurity.authority.className = 'transportados.backend.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']

UrlMappings.groovy

class UrlMappings {

    static mappings = {
        "/$controller/$action?/$id?(.$format)?"{
            constraints {
                // apply constraints here
            }
        }


        /*******************************************************************************************************************
         ***********************************************  API v1  **********************************************************
         *******************************************************************************************************************/

        // Shipments
        "/api/v1/shipments"(controller: "Shipment", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/shipments/${id}"(controller: "Shipment", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        // Carrier
        "/api/v1/carriers"(controller: "Carrier", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/carriers/${id}"(controller: "Carrier", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        // Item
        "/api/v1/items"(controller: "Item", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/items/${id}"(controller: "Item", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        // Quote
        "/api/v1/quotes"(controller: "Quote", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/quotes/${id}"(controller: "Quote", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        // Review
        "/api/v1/reviews"(controller: "Review", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/reviews/${id}"(controller: "Review", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        // User
        "/api/v1/users"(controller: "User", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/users/${id}"(controller: "User", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        // Vehicle
        "/api/v1/vehicles"(controller: "Vehicle", action: [POST: 'save', GET: 'index'], namespace:'v1')
        "/api/v1/vehicles/${id}"(controller: "Vehicle", action: [PUT: 'update', GET: 'show', DELETE:'delete'], namespace:'v1')

        "/"(view:"/index")
        "500"(view:'/error')
    }
}

资源http://localhost:8080/api/login工作正常,如果凭据正常,则会给我一个有效的令牌。

当尝试使用它来访问以下Controller时,我被FilterSecurityInterceptor拒绝访问

package transportados.backend

import static org.springframework.http.HttpStatus.*
import grails.transaction.Transactional
import grails.plugin.springsecurity.annotation.Secured

@Secured(['ROLE_ADMIN'])
@Transactional(readOnly = true)
class ShipmentController {

    static namespace = 'v1'
    static responseFormats = ['json', 'xml']
    //static allowedMethods = [index: "GET", save: "POST", update: "PUT", delete: "DELETE"]

    def index(Integer max) {
        params.max = Math.min(max ?: 10, 100)
        respond Shipment.list(params), [status: OK]
    }

    def show(Shipment shipment) {
        respond shipment
    }

    @Transactional
    def save(Shipment shipmentInstance) {
        if (shipmentInstance == null) {
            render status: NOT_FOUND
            return
        }

        shipmentInstance.validate()
        if (shipmentInstance.hasErrors()) {
            render status: NOT_ACCEPTABLE
            return
        }

        shipmentInstance.save flush:true
        respond shipmentInstance, [status: CREATED]
    }

    @Transactional
    def update(Shipment shipmentInstance) {
        if (shipmentInstance == null) {
            render status: NOT_FOUND
            return
        }

        shipmentInstance.validate()
        if (shipmentInstance.hasErrors()) {
            render status: NOT_ACCEPTABLE
            return
        }

        shipmentInstance.save flush:true
        respond shipmentInstance, [status: OK]
    }

    @Transactional
    def delete(Shipment shipmentInstance) {

        if (shipmentInstance == null) {
            render status: NOT_FOUND
            return
        }

        shipmentInstance.delete flush:true
        render status: NO_CONTENT
    }
}

这些是日志:

|Server running. Browse to http://localhost:8080/
2015-02-09 21:04:43,549 [http-bio-8080-exec-6] DEBUG matcher.AntPathRequestMatcher  - Checking match of request : '/api/v1/shipments'; against '/api/v1/**'
2015-02-09 21:04:43,550 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 1 of 7 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2015-02-09 21:04:43,550 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 2 of 7 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
2015-02-09 21:04:43,561 [http-bio-8080-exec-6] DEBUG rest.RestAuthenticationFilter  - Actual URI is /api/v1/shipments; endpoint URL is /api/login
2015-02-09 21:04:43,561 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-02-09 21:04:43,561 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 4 of 7 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
2015-02-09 21:04:43,561 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 5 of 7 in additional filter chain; firing Filter: 'RestTokenValidationFilter'
2015-02-09 21:04:43,564 [http-bio-8080-exec-6] DEBUG bearer.BearerTokenReader  - Looking for bearer token in Authorization header, query string or Form-Encoded body parameter
2015-02-09 21:04:43,566 [http-bio-8080-exec-6] DEBUG bearer.BearerTokenReader  - Found bearer token in Authorization header
2015-02-09 21:04:43,567 [http-bio-8080-exec-6] DEBUG rest.RestTokenValidationFilter  - Token found: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0MjM1MjkwMzAsInN1YiI6Im1lIiwicm9sZXMiOlsiUk9MRV9BRE1JTiJdLCJpYXQiOjE0MjM1MjU0MzB9.CLUxW5reqfnn-UDUtNul7CTRg4O5GIuz4zeY1UghQn
2015-02-09 21:04:43,567 [http-bio-8080-exec-6] DEBUG rest.RestTokenValidationFilter  - Trying to authenticate the token
2015-02-09 21:04:43,581 [http-bio-8080-exec-6] DEBUG rest.RestAuthenticationProvider  - Trying to validate token eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0MjM1MjkwMzAsInN1YiI6Im1lIiwicm9sZXMiOlsiUk9MRV9BRE1JTiJdLCJpYXQiOjE0MjM1MjU0MzB9.CLUxW5reqfnn-UDUtNul7CTRg4O5GIuz4zeY1UghQn
2015-02-09 21:04:43,602 [http-bio-8080-exec-6] DEBUG jwt.JwtTokenStorageService  - Parsed an HMAC signed JWT
2015-02-09 21:04:43,688 [http-bio-8080-exec-6] DEBUG jwt.JwtTokenStorageService  - Successfully verified JWT
2015-02-09 21:04:43,692 [http-bio-8080-exec-6] DEBUG rest.RestAuthenticationProvider  - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@40a2eeba: Principal: org.springframework.security.core.userdetails.User@d98: Username: me; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN
2015-02-09 21:04:43,692 [http-bio-8080-exec-6] DEBUG rest.RestTokenValidationFilter  - Token authenticated. Storing the authentication result in the security context
2015-02-09 21:04:43,692 [http-bio-8080-exec-6] DEBUG rest.RestTokenValidationFilter  - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@40a2eeba: Principal: org.springframework.security.core.userdetails.User@d98: Username: me; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN
2015-02-09 21:04:43,694 [http-bio-8080-exec-6] DEBUG rest.RestTokenValidationFilter  - Continuing the filter chain
2015-02-09 21:04:43,695 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-02-09 21:04:43,695 [http-bio-8080-exec-6] DEBUG web.FilterChainProxy  - /api/v1/shipments at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-02-09 21:04:43,696 [http-bio-8080-exec-6] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /api/v1/shipments; Attributes: [_DENY_]
2015-02-09 21:04:43,696 [http-bio-8080-exec-6] DEBUG intercept.FilterSecurityInterceptor  - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@40a2eeba: Principal: org.springframework.security.core.userdetails.User@d98: Username: me; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN
2015-02-09 21:04:43,696 [http-bio-8080-exec-6] DEBUG hierarchicalroles.RoleHierarchyImpl  - getReachableGrantedAuthorities() - From the roles [ROLE_ADMIN] one can reach [ROLE_ADMIN] in zero or more steps.
2015-02-09 21:04:43,703 [http-bio-8080-exec-6] DEBUG access.ExceptionTranslationFilter  - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
Message: Access is denied
    Line | Method
->>   47 | decide             in grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
|    102 | processFilterChain in com.odobo.grails.plugin.springsecurity.rest.RestTokenValidationFilter
|     68 | doFilter . . . . . in     ''
|     53 | doFilter           in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
|    122 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter
|     82 | doFilter           in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
|   1145 | runWorker . . . .  in java.util.concurrent.ThreadPoolExecutor
|    615 | run                in java.util.concurrent.ThreadPoolExecutor$Worker
^    744 | run . . . . . . .  in java.lang.Thread

关于发生了什么的任何想法?它让我有点疯狂:S

谢谢!

2 个答案:

答案 0 :(得分:0)

UrlMappings中的

名称空间是问题所在。 在urlmappings和控制器中的静态变量“namespace”中删除命名空间定义之后,生活再好了。

答案 1 :(得分:0)

Spring Security Core插件不支持命名空间控制器:https://stackoverflow.com/a/21896846/2923710

或者,您可以使用http://grails-plugins.github.io/grails-spring-security-core/guide/requestMappings.html#configGroovyMap

中指定的Config.groovy中的interceptUrlMap进行尝试