Grails2.4.3上使用spring安全内核的静态安全映射
使用SpringSecurityCore2.0-RC4,我在静态安全映射方面遇到了问题Grails2.4.3上使用spring安全内核的静态安全映射,grails,spring-security,Grails,Spring Security,使用SpringSecurityCore2.0-RC4,我在静态安全映射方面遇到了问题 '/app/client/**': ['IS_AUTHENTICATED_FULLY'], '/app/items/**': ['permitAll'], 这种配置甚至可以切换真/假值 grails.plugin.springsecurity.rejectIfNoRule = true grails.plugin.springsecu
'/app/client/**': ['IS_AUTHENTICATED_FULLY'],
'/app/items/**': ['permitAll'],
这种配置甚至可以切换真/假值
grails.plugin.springsecurity.rejectIfNoRule = true
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
当我尝试访问
/app/items/Books
根据配置参数,我得到403/500。我可以访问的唯一方法是当两个配置属性都为false时,因此我以乐观的方法结束,我打算避免这种方法
这个图案有什么不好的地方吗?
comeone能告诉我们引擎罩里会发生什么吗
谢谢
更新:
grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.token.storage.useGorm = true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'com.moviesxd.api.domain.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'tokenValue'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'username'
grails.plugin.springsecurity.securityConfigType = "Annotation"
grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess = true
//Workaround for weird responses when using a bearer token
grails.plugin.springsecurity.rest.token.validation.useBearerToken = false
grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.login.endpointUrl = '/security/login'
grails.plugin.springsecurity.rest.logout.endpointUrl = '/security/logout'
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.usernamePropertyName = 'username'
grails.plugin.springsecurity.rest.login.passwordPropertyName = 'password'
grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/assets/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll'],
更新:
grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.token.storage.useGorm = true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'com.moviesxd.api.domain.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'tokenValue'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'username'
grails.plugin.springsecurity.securityConfigType = "Annotation"
grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess = true
//Workaround for weird responses when using a bearer token
grails.plugin.springsecurity.rest.token.validation.useBearerToken = false
grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.login.endpointUrl = '/security/login'
grails.plugin.springsecurity.rest.logout.endpointUrl = '/security/logout'
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.usernamePropertyName = 'username'
grails.plugin.springsecurity.rest.login.passwordPropertyName = 'password'
grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/assets/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll'],
由于您使用的是设置为true的rejectIfNoRule属性,因此您无意中阻止了对根url(即at/)的访问。因此,通过如下方式修改规则来允许该规则:
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/app/client/**': ['IS_AUTHENTICATED_FULLY'],
'/app/items/**': ['permitAll']
阅读更多信息。
希望这有帮助
谢谢,
SA该模式似乎没有数学化,因为它的行为类似于触发ifNoRule约束。。。但是不明白为什么。模式不应该包括应用程序的名称。例如/clients/**和/items/**应用程序不是我的应用程序的名称。。。只是我想组织我的API调用,只是一个常见的错误。另外,最好在问题中包含所有的安全配置。是否有一个好的方法来调试它,以了解为什么它不符合我的预期?谢谢。。。但是,我已经声明这些资源为permitAll。我在问题文本中放置了一个更新。好的,您的/映射到index.gsp还是其他?或者您可以访问您的根URL吗?