当Grails控制器定义了名称空间时,FilterSecurityInterceptor返回_DENY_ [英] FilterSecurityInterceptor returns _DENY_ when Grails controller has namespace defined
问题描述
- grails:2.3.5
- spring-security-core:2.0-RC2
- spring-security-ldap:2.0-RC2
- spring-security-rest:1.2.3
我的简单API在没有命名空间的情况下工作正常,但是当我向控制器添加命名空间时开始返回403。即使当我为 X-Auth-Token 传递一个有效值时,我也会返回一个403.
$ b AuthorController.groovy
包书店
导入grails.plugin.springsecurity.annotation.Secured导入
grails.rest.RestfulController
$ b @Secured(['IS_AUTHENTICATED_FULLY'])
类AuthorController扩展了RestfulController {
static namespace =testing
static responseFormats = ['json','xml']
AuthorController(){
super(Author)
}
}
$ c $
$ b UrlMappings.groovy
c $ c>/ authors(resources:author,namespace:testing)
日志记录
我打开了安全代码的日志记录,并记录下名称空间:
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now c请求处理已完成
DEBUG util.AntPathRequestMatcher - 通用模式匹配的请求'/ authors''/ **'
DEBUG web.FilterChainProxy - 位于附加过滤器链中第1个位置的/ authors;点击过滤器:'SecurityContextPersistenceFilter'
DEBUG web.FilterChainProxy - 位于附加过滤器链中第2个位置的/ authors;发射过滤器:'RestLogoutFilter'
DEBUG rest.RestLogoutFilter - 实际的URI是/ authors;端点URL是/注销
DEBUG web.FilterChainProxy - 位于附加过滤器链中第3个位置的/ authors;点击过滤器:'MutableLogoutFilter'
DEBUG web.FilterChainProxy - 位于附加过滤器链中第4个位置的/ authors;发射过滤器:'RestAuthenticationFilter'
DEBUG rest.RestAuthenticationFilter - 实际的URI是/ authors;端点URL是/ login
DEBUG web.FilterChainProxy - 位于附加过滤器链中第10位的5位作者;点击过滤器:'SecurityContextHolderAwareRequestFilter'
DEBUG web.FilterChainProxy - / authors在第10位的第6位,位于附加的过滤器链中;点击过滤器:'GrailsRememberMeAuthenticationFilter'
DEBUG web.FilterChainProxy - 位于附加过滤器链中第7位的作者/过滤器:'GrailsAnonymousAuthenticationFilter'
DEBUG web.FilterChainProxy - 位于附加过滤器链中第8位的8位作者;点击过滤器:'RestTokenValidationFilter'
DEBUG rest.RestTokenValidationFilter - 在标题'X-Auth-Token'中寻找标记值
DEBUG rest.RestTokenValidationFilter - 找到令牌:xxxxxxxxxxxxxxxxx
DEBUG休息。 RestTokenValidationFilter - 尝试验证令牌
DEBUG rest.RestAuthenticationProvider - 尝试验证令牌xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService - 在Memcached中搜索令牌xxxxxxxxxxxxxxxxx的UserDetails
DEBUG storage.MemcachedTokenStorageService - 找到UserDetails: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl @:Dn:XXXXXXX;用户名:用户名;密码保护];启用:true; AccountNonExpired:true; CredentialsNonExpired:true; AccountNonLocked:true;授予的权限:
DEBUG rest.RestAuthenticationProvider - 认证结果:com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken @:主体:N / A;证书:[PROTECTED];已验证:false;详细信息:null;未授予任何权限
DEBUG rest.RestTokenValidationFilter - 令牌已验证。将认证结果存储在安全上下文中
DEBUG rest.RestTokenValidationFilter - 认证结果:com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken @:Principal:org.springframework.security.ldap.userdetails.LdapUserDetailsImpl @ Dn:XXXXXXX;用户名:用户名;密码保护];启用:true; AccountNonExpired:true; CredentialsNonExpired:true; AccountNonLocked:true;授权机构:;证书:[PROTECTED];已验证:true;详细信息:null;授予的权限:
DEBUG rendering.DefaultRestAuthenticationTokenJsonRenderer - 生成的JSON:
{
username:username,
token:xxxxxxxxxxxxxxxxxxx,
角色:[]
}
DEBUG rest.RestTokenValidationFilter - 实际的URI是/ authors;验证端点URL是/验证
DEBUG rest.RestTokenValidationFilter - 继续过滤链
DEBUG web.FilterChainProxy - / authors在附加过滤器链中位置9的10处;点燃过滤器:'ExceptionTranslationFilter'
DEBUG web.FilterChainProxy - /作者在第10位的10位的附加过滤器链中;点击Filter:'FilterSecurityInterceptor'
DEBUG intercept.FilterSecurityInterceptor - 安全对象:FilterInvocation:URL:/ authors;属性:[_DENY_]
DEBUG intercept.FilterSecurityInterceptor - 先前已验证:com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken @:Principal:org.springframework.security.ldap.userdetails.LdapUserDetailsImpl @:Dn:XXXXXXX ;用户名:用户名;密码保护];启用:true; AccountNonExpired:true; CredentialsNonExpired:true; AccountNonLocked:true;授权机构:;证书:[PROTECTED];已验证:true;详细信息:null;授予权限:零个或多个步骤
。
DEBUG access.ExceptionTranslationFilter - 访问被拒绝(用户不是匿名的);委托给AccessDeniedHandler
消息:访问被拒绝
Line |方法
- >> 47 |决定在grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 88 | process.filterChain in com.odobo.grails.plugin.springsecurity.rest.RestTokenValidationFilter
| 58 | doFilter。 。 。 。 。在''
|中53 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 108 | doFilter。 。 。 。 。 in com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter
| 82 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 66 | doFilter。 。 。 。 。在com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter
| 82 | doFilter in com.brandseye.cors.CorsFilter
| 1145 | runWorker。 。 。 。在java.util.concurrent.ThreadPoolExecutor
|中615 |在java.util.concurrent.ThreadPoolExecutor $ Worker
^ 744 |中运行跑 。 。 。 。 。 。 。在java.lang.Thread
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder现在已被清除,因为请求处理已完成
<然后我查看了删除名称空间的日志记录。直到我找到 FilterSecurityInterceptor :
DEBUG intercept.FilterSecurityInterceptor - 安全对象: FilterInvocation:URL:/ authors;属性:[IS_AUTHENTICATED_FULLY]
DEBUG intercept.FilterSecurityInterceptor - 先前已验证:com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken @:Principal:org.springframework.security.ldap.userdetails.LdapUserDetailsImpl @:Dn:XXXXXXX ;用户名:用户名;密码保护];启用:true; AccountNonExpired:true; CredentialsNonExpired:true; AccountNonLocked:true;授权机构:;证书:[PROTECTED];已验证:true;详细信息:null;授予权限:零个或多个步骤
。
DEBUG intercept.FilterSecurityInterceptor - 授权成功
DEBUG intercept.FilterSecurityInterceptor - RunAsManager未更改身份验证对象
DEBUG web.FilterChainProxy - / authors达到额外过滤器链的末尾;处理原始链
DEBUG access.ExceptionTranslationFilter - 通常处理的链
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder现已清除,因为请求处理已完成
有人可以请我解释为什么当我的控件有一个名称空间时,我得到了 DENY 。我想尝试版本化我的Web服务,并且需要命名空间。我一直在看这一整天,似乎无法取得任何进展。
预先致谢。
插件中不支持命名空间控制器,请参阅 http://jira.grails.org/browse/GPSPRINGSECURITYCORE-246 。它可能会用于2.0最终版本。
My environment
- grails:2.3.5
- spring-security-core:2.0-RC2
- spring-security-ldap:2.0-RC2
- spring-security-rest:1.2.3
My simple API works fine with no namespace but starts returning a 403 when I add a namespace to my controller. I get back a 403 even when I pass a valid value for X-Auth-Token.
AuthorController.groovy
package bookstore
import grails.plugin.springsecurity.annotation.Secured import
grails.rest.RestfulController
@Secured(['IS_AUTHENTICATED_FULLY'])
class AuthorController extends RestfulController {
static namespace = "testing"
static responseFormats = ['json', 'xml']
AuthorController() {
super(Author)
}
}
UrlMappings.groovy
"/authors"(resources:"author", namespace:"testing")
Logging
I turned up the logging on the security code and recorded the following with the namespace in place:
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG util.AntPathRequestMatcher - Request '/authors' matched by universal pattern '/**'
DEBUG web.FilterChainProxy - /authors at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG web.FilterChainProxy - /authors at position 2 of 10 in additional filter chain; firing Filter: 'RestLogoutFilter'
DEBUG rest.RestLogoutFilter - Actual URI is /authors; endpoint URL is /logout
DEBUG web.FilterChainProxy - /authors at position 3 of 10 in additional filter chain; firing Filter: 'MutableLogoutFilter'
DEBUG web.FilterChainProxy - /authors at position 4 of 10 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
DEBUG rest.RestAuthenticationFilter - Actual URI is /authors; endpoint URL is /login
DEBUG web.FilterChainProxy - /authors at position 5 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG web.FilterChainProxy - /authors at position 6 of 10 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter'
DEBUG web.FilterChainProxy - /authors at position 7 of 10 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
DEBUG web.FilterChainProxy - /authors at position 8 of 10 in additional filter chain; firing Filter: 'RestTokenValidationFilter'
DEBUG rest.RestTokenValidationFilter - Looking for a token value in the header 'X-Auth-Token'
DEBUG rest.RestTokenValidationFilter - Token found: xxxxxxxxxxxxxxxxx
DEBUG rest.RestTokenValidationFilter - Trying to authenticate the token
DEBUG rest.RestAuthenticationProvider - Trying to validate token xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService - Searching in Memcached for UserDetails of token xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService - UserDetails found: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities:
DEBUG rest.RestAuthenticationProvider - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: N/A; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
DEBUG rest.RestTokenValidationFilter - Token authenticated. Storing the authentication result in the security context
DEBUG rest.RestTokenValidationFilter - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities:
DEBUG rendering.DefaultRestAuthenticationTokenJsonRenderer - Generated JSON:
{
"username": "username",
"token": "xxxxxxxxxxxxxxxxx",
"roles": []
}
DEBUG rest.RestTokenValidationFilter - Actual URI is /authors; validate endpoint URL is /validate
DEBUG rest.RestTokenValidationFilter - Continuing the filter chain
DEBUG web.FilterChainProxy - /authors at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG web.FilterChainProxy - /authors at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /authors; Attributes: [_DENY_]
DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities:
in zero or more steps.
DEBUG access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
Message: Access is denied
Line | Method
->> 47 | decide in grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 88 | processFilterChain in com.odobo.grails.plugin.springsecurity.rest.RestTokenValidationFilter
| 58 | doFilter . . . . . in ''
| 53 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 108 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter
| 82 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 66 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter
| 82 | doFilter in com.brandseye.cors.CorsFilter
| 1145 | runWorker . . . . in java.util.concurrent.ThreadPoolExecutor
| 615 | run in java.util.concurrent.ThreadPoolExecutor$Worker
^ 744 | run . . . . . . . in java.lang.Thread
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Then I looked at the logging with the namespace removed. Everything was identical until I got down to the FilterSecurityInterceptor:
DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /authors; Attributes: [IS_AUTHENTICATED_FULLY]
DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities:
in zero or more steps.
DEBUG intercept.FilterSecurityInterceptor - Authorization successful
DEBUG intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
DEBUG web.FilterChainProxy - /authors reached end of additional filter chain; proceeding with original chain
DEBUG access.ExceptionTranslationFilter - Chain processed normally
DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Can someone please explain why I'm getting the DENY when my controlled has a namespace. I would like to experiment with versioning my web services and that requires a namespace. I've been looking at this all day and can't seem to make any headway.
Thanks in advance.
There's no support for namespaced controllers in the plugin yet, see http://jira.grails.org/browse/GPSPRINGSECURITYCORE-246. It will probably be implemented for the 2.0 final release.
这篇关于当Grails控制器定义了名称空间时,FilterSecurityInterceptor返回_DENY_的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!