grails 中的访问控制、角色和权限 [英] access control, role and permission in grails

问题描述

我第一次使用 grails 应用程序，现在我想保护一些页面仅供管理员查看，并授予其他用户一些权限.

I am working on a grails application for the first time and I now want to protect some pages to be viewed only by admins, and give some permissions to other users.

我正在为 grails 使用 Apache Shiro 插件.

I am using Apache Shiro plugin for grails.

我在引导程序中的示例代码如下

My sample code in the bootstrap looks like this

class BootStrap {

def init = { servletContext ->
    def adminRole

    if(ShiroRole.findByName("Admin".isEmpty())){
        adminRole = new ShiroRole(name: "Administrator")
        adminRole.addToPermissions("*:*")
        adminRole.addToPermissions("admin")

        adminRole.save()

//'user' 现在拥有所有管理员权限}

// 'user' now has all administrator rights }

    if (ShiroUser.findAllByUsername("user").isEmpty()) {
        def user = new ShiroUser(username: "user", passwordHash: new Sha256Hash("pass").toHex())
        user.addToPermissions("*:*")
        user.addToRoles(adminRole)

        user.save()

    }

    if (ShiroUser.findAllByUsername("Guest").isEmpty()) {
        def user = new ShiroUser(username: "Guest", passwordHash: new Sha256Hash("pass").toHex())
        user.addToPermissions("inventory:*")
        user.save()
    }


}
def destroy = {
}

}

我的 ShiroSecurityFilters 看起来像

My ShiroSecurityFilters looks like

class ShiroSecurityFilters {
def filters = {
    all(uri: "/**") {
        before = {
            // Ignore direct views (e.g. the default main index page).
            if (!controllerName) return true

            // Access control by convention.
            accessControl()

        }
    }
}

}

我只想让访客"访问库存 脚手架.但是在我的应用程序中，一旦用户Guest"登录，它就可以访问其他控制器，但我不希望这种情况发生.感谢您的帮助.

I wanted to give to "Guest" access to inventory scaffold only. However in my application once the user "Guest" logged in its able to access other controllers butI don't want that to happen. I appreciate your help.

如果有更好的使用 Shiro 角色、访问控制和/或权限，请告诉我.

If there is an better of using Shiro role, access control and/or permissions, please let me know about it.

谢谢

推荐答案

好的.让我们看看...

OK. let's see...

开头有一个错字:

"Admin".isEmpty()

永远是假的......我猜你没有定义假"的角色......

will always be false... and I guess you have no role "false" defined...

您正在寻找管理员"但创建管理员"...

And you are looking for "Admin" but create "Administrator"...

做一个

adminRole.save(flush:true, failOnError:true)

而不是 adminRole.save().这将确保对象确实被保存.

instead of adminRole.save(). This will make sure that the object is really saved.

角色 Administrator 已经拥有所有权限 ("*:*") 并且 "admin" 不是典型的 shiro 权限，所以你可以删除这一行... (adminRole.addToPermissions("admin"))

The role Administrator already has all permissions ("*:*") and "admin" is not a typical shiro permission, so you can drop this line... (adminRole.addToPermissions("admin"))

如果你做了一个

user.addToRoles(adminRole)

您不需要添加 "*:*" 权限.角色已经够了.

you don't need to add the "*:*"permission. The role is already enough.

我现在已经创建了一个测试项目，安装了 shiro，做了一个 create-auth-controller、一个 create-wildcard-realm 和一个 create-过滤器 ShiroSecurity.

I've now created a test project, installed shiro, did a create-auth-controller, a create-wildcard-realm and a create-filters ShiroSecurity.

通过在 Config.groovy 中的 log4j 配置中添加以下两行来激活 BootStrap 和 Shiro-Realm 的日志记录:

Activate logging for BootStrap and Shiro-Realm by adding following two lines to the log4j config in Config.groovy:

debug   'grails.app.conf.BootStrap'
debug   'grails.app.realm'

这是我的 BootStrap.groovy:(有趣的部分)

Here is my BootStrap.groovy: (the interesting part)

def init = { servletContext ->
    def adminRole

    if(ShiroRole.findByName("Administrator")==null){
        adminRole = new ShiroRole(name: "Administrator")
        adminRole.addToPermissions("*:*")
        adminRole.save(flush:true, failOnError:true)
        log.debug adminRole.dump()
    }
    println ShiroUser.findAllByUsername("user").dump()
    log.debug "="*80
    if (ShiroUser.findAllByUsername("user").isEmpty()) {
        def user = new ShiroUser(username: "user", passwordHash: new Sha256Hash("pass").toHex())
        user.addToRoles(adminRole)
        user.save(flush:true, failOnError:true)
        log.debug user.dump()
    }

    if (ShiroUser.findAllByUsername("Guest").isEmpty()) {
        def user = new ShiroUser(username: "Guest", passwordHash: new Sha256Hash("pass").toHex())
        user.addToPermissions("inventory:*")
        user.save(flush:true, failOnError:true)
        log.debug user.dump()
    }

}

和我的 ShiroSecurityFilters.groovy:

and my ShiroSecurityFilters.groovy:

def filters = {
    all(controller:'*', action:'*') {
        before = {
        // Ignore direct views (e.g. the default main index page).
        if (!controllerName) return true

        // Access control by convention.
        accessControl()

        }
    }
}

它有效......

如您所见，我的安全过滤器基于控制器和操作...只是我的偏好...

As you can see, my SecurityFilters are based on controller and action... just my preference...

但我猜你的问题只是基于错误的引导程序.使用 shiro 时，日志记录非常有用...

But I guess your problem was only based on the wrong bootstrap. Logging is very useful when you work with shiro...

这篇关于grails 中的访问控制、角色和权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！