用于休息资源的 Grails spring-security 静态规则似乎无法正常工作 [英] Grails spring-security static rules for rest resource seems not working properly

问题描述

我有一个 Grails (2.0.4) 应用程序，使用 Spring Security 插件(版本 1.2.7.3)和安全注释方法(默认的，更多 此处).

I have an Grails (2.0.4) application using Spring Security plugin (version 1.2.7.3) and the secured annotation approach (the default one, more here).

现在，我在 UrlMapping.groovy 中有这些带有资源键或控制器/操作对的 URL，如下所示:

Now, I have these URLs in UrlMapping.groovy with the resource key or the controller/action pair, like this:

"/$controller/$action?/$id?" {
        constraints {
            // apply constraints here
        }
    }

// other rules, all working properly

"/api/item/$id?"(resource: 'itemRest')
'/api/item/batch-delete'(controller: 'itemRest', action: 'batchDelete')

RESTful 映射与 ItemRestController 完美配合:每个方法(显示、更新、保存、删除)都使用正确的 HTTP 方法正确映射.额外的方法 (batchDelete) 也能正常工作.

The RESTful mapping works perfectly with ItemRestController: every method (show, update, save, delete) is correctly mapped with the proper HTTP method. And the extra method (batchDelete) works as well.

我保护了 API url，这样做:

I secured the API url, doing this:

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
     // ...
     '/something/**': ['IS_AUTHENTICATED_FULLY']
     '/api/**': ['IS_AUTHENTICATED_FULLY']
]

现在，如果我调用:

http://host/context/something/bla_bla

但如果我调用(在需要时使用适当的有效负载)则不会:

But not if I call (with the proper payload, when required):

http://host/context/api/item/batchDelete
http://host/context/api/item/1
http://host/context/api/item

我怀疑是在将 rest 控制器与资源键映射时，静态规则无法正常工作.

My suspect is that the static rules are not working properly when mapping the rest controller with the resource key.

另请注意，UrlMapping.groovy 文件中不存在某物"网址.

Please also note that the "something" url is not present in the UrlMapping.groovy file.

有什么想法吗?

推荐答案

我认为你必须使用

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
     '/itemrest/**': ['IS_AUTHENTICATED_FULLY'],
      //this will be redundant after the above rule I guess
     '/api/**': ['IS_AUTHENTICATED_FULLY']
]

urlMapping 中未映射的 URL 必须直接在规则中引用 controller.看看警告 在文档中的 controllerAnnotations.staticRules 下.

Urls which are not mapped in urlMapping has to refer the controller directly in the rules. Have a look at the warning under controllerAnnotations.staticRules in the docs.

为映射的控制器映射 URL 时UrlMappings.groovy，您需要保护未映射的 URL.为了例如，如果您有一个映射到的 FooBarController/foo/bar/$action，你必须在controllerAnnotations.staticRules 为/foobar/**.这是不同的比用于其他两种方法的映射是必要的，因为 controllerAnnotations.staticRules 条目是将它们视为相应控制器上的注释.

When mapping URLs for controllers that are mapped in UrlMappings.groovy, you need to secure the un-url-mapped URLs. For example if you have a FooBarController that you map to /foo/bar/$action, you must register that in controllerAnnotations.staticRules as /foobar/**. This is different than the mapping you would use for the other two approaches and is necessary because controllerAnnotations.staticRules entries are treated as if they were annotations on the corresponding controller.

这篇关于用于休息资源的 Grails spring-security 静态规则似乎无法正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！