【问题标题】:Restricting a page view using spring security in a grails application在grails应用程序中使用spring security限制页面视图
【发布时间】:2014-03-03 22:07:56
【问题描述】:

所以我有一个使用 spring-security-core:1.2.7.3 的标准 grails 2.2.1 应用程序。我有一个自定义过滤器,用于验证应用程序受限部分的密码。

如果我点击另一个受限 URL,我可以看到 spring 过滤器链抛出以下异常

Secure object: FilterInvocation: URL: /list; Attributes: [ROLE_USER]

如果用户尚未登录,这是正确的,因为他们还没有分配角色。其他过滤器,即 /landing URL 正在限制访问。但是,当用户点击 URL 时,这不会被抛出

/press/meta

应用程序是这样配置的;

Config.groovy

grails.plugins.springsecurity.interceptUrlMap = [
    '/landing/**':      ['ROLE_USER','ROLE_ADMIN'],
    '/press/**':        ['ROLE_USER','ROLE_ADMIN'],
    '/list/**':        ['ROLE_USER'],
    '/**':              ['IS_AUTHENTICATED_ANONYMOUSLY']
]

UrlMappings.groovy

"/$controller/$action?/$id?"{
        constraints {
            // apply constraints here
        }
    }
"/press/meta" ( view:"/meta/index" )

我的所有控制器和应用程序功能都按预期工作,但是当我点击 URL 时

http://localhost:8080/WebSite/press/meta?pass=password1

即使用户未登录,它也不会限制访问。但自定义过滤器会验证密码,如果正确,将允许用户继续。如果创建密码,过滤器返回真/假。

日志如下所示;

06,02 18:41:51:097 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/press/meta'; to: '/press/meta'
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/press/meta'; pattern is /**; matched=true
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?pass=password at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
06,02 18:41:51:101 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06,02 18:41:51:115 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Public object - authentication not attempted
06,02 18:41:51:116 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 reached end of additional filter chain; proceeding with original chain
06,02 18:41:51:151 [http-bio-8080-exec-1] DEBUG portal.AdminFilters - Admin secret matched, proceeding
06,02 18:41:51:553 [http-bio-8080-exec-1] DEBUG access.ExceptionTranslationFilter - Chain processed normally

我正在尝试找出这里的最佳实践,或者在自定义过滤器中执行一些弹簧安全逻辑,如果用户没有正确的角色抛出异常,但我宁愿让 config.groovy 管理这个!

感谢任何帮助或建议。

J

【问题讨论】:

  • 您是否尝试在 Config.groovy 中为 "/press/meta" 添加自定义规则?

标签: spring grails filter spring-security


【解决方案1】:

在spring-security-core v1.2.7.3中,默认securityConfigType是Annotation。要激活您定义的 URL 映射,您必须指定此配置参数:

grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"

Link to docs

【讨论】:

  • 是的,这可行,但希望保留在整个应用程序中使用的注释!快速修复是在视图前面放置一个控制器,但更改 securitytypeconfig 也可以。谢谢。
  • 查看controllerAnnotations.staticRules 设置以了解另一种定义 URL 访问规则的方法。
猜你喜欢
  • 1970-01-01
  • 2016-01-30
  • 1970-01-01
  • 2013-09-24
  • 2021-08-30
  • 2013-08-26
  • 2016-09-04
  • 2015-03-27
  • 1970-01-01
相关资源
最近更新 更多