在grails应用程序中使用spring安全性限制页面视图_Spring_Grails_Filter_Spring Security

在grails应用程序中使用spring安全性限制页面视图

spring grails filter spring-security

在grails应用程序中使用spring安全性限制页面视图,spring,grails,filter,spring-security,Spring,Grails,Filter,Spring Security,所以我有一个标准的Grails2.2.1应用程序，使用SpringSecurity核心：1.2.7.3。我有一个自定义过滤器，用于验证应用程序受限部分的密码如果我点击另一个受限URL，我可以看到spring过滤器链抛出以下异常 Secure object: FilterInvocation: URL: /list; Attributes: [ROLE_USER] 如果用户尚未登录，这是正确的，因为他们尚未分配角色。其他过滤器，即/登录URL限制访问。但是，当用户点击URL时，不会抛出此消息

所以我有一个标准的Grails2.2.1应用程序，使用SpringSecurity核心：1.2.7.3。我有一个自定义过滤器，用于验证应用程序受限部分的密码

如果我点击另一个受限URL，我可以看到spring过滤器链抛出以下异常

Secure object: FilterInvocation: URL: /list; Attributes: [ROLE_USER]

如果用户尚未登录，这是正确的，因为他们尚未分配角色。其他过滤器，即/登录URL限制访问。但是，当用户点击URL时，不会抛出此消息

/press/meta

应用程序被配置为这样

Config.groovy

grails.plugins.springsecurity.interceptUrlMap = [
    '/landing/**':      ['ROLE_USER','ROLE_ADMIN'],
    '/press/**':        ['ROLE_USER','ROLE_ADMIN'],
    '/list/**':        ['ROLE_USER'],
    '/**':              ['IS_AUTHENTICATED_ANONYMOUSLY']
]

UrlMappings.groovy

"/$controller/$action?/$id?"{
        constraints {
            // apply constraints here
        }
    }
"/press/meta" ( view:"/meta/index" )

我的所有控制器和应用程序功能都按预期工作，但当我点击URL时

http://localhost:8080/WebSite/press/meta?pass=password1

即使用户未登录，它也不会限制访问。但是自定义筛选器会验证密码，如果正确，则允许用户继续。如果密码为create，则过滤器返回true/false

日志如下所示：

06,02 18:41:51:097 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/press/meta'; to: '/press/meta'
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/press/meta'; pattern is /**; matched=true
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?pass=password at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
06,02 18:41:51:101 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06,02 18:41:51:115 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Public object - authentication not attempted
06,02 18:41:51:116 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 reached end of additional filter chain; proceeding with original chain
06,02 18:41:51:151 [http-bio-8080-exec-1] DEBUG portal.AdminFilters - Admin secret matched, proceeding
06,02 18:41:51:553 [http-bio-8080-exec-1] DEBUG access.ExceptionTranslationFilter - Chain processed normally

我试图找出这里的最佳实践是什么，或者在自定义过滤器中执行一些spring安全逻辑，如果用户没有正确的角色，则抛出一个异常，但我宁愿让config.groovy管理它

任何帮助或建议都将不胜感激

在spring security core v1.2.7.3中，默认的

securityConfigType

是注释。要激活已定义的URL映射，必须指定此配置参数：

grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"

您是否尝试过在Config.groovy中为“/press/meta”添加自定义规则？是的，这很有效，但希望保留整个应用程序中使用的注释！快速修复方法是在视图前面放置一个控制器，但更改securitytypeconfig也可以。谢谢。请查看

controllernotations.staticRules

设置，了解定义URL访问规则的另一种方法。