休息资源的Grails弹簧安全静态规则似乎无法正常工作 [英] Grails spring-security static rules for rest resource seems not working properly

问题描述

我有一个使用Spring Security插件（版本1.2.7.3）的Grails（2.0.4）应用程序和安全的注释方法（默认的方法，更多这里）。

I have an Grails (2.0.4) application using Spring Security plugin (version 1.2.7.3) and the secured annotation approach (the default one, more here).

现在，我在UrlMapping.groovy中使用这些资源键或控制器/操作对的URL，如下所示：

Now, I have these URLs in UrlMapping.groovy with the resource key or the controller/action pair, like this:

"/$controller/$action?/$id?" {
        constraints {
            // apply constraints here
        }
    }

// other rules, all working properly

"/api/item/$id?"(resource: 'itemRest')
'/api/item/batch-delete'(controller: 'itemRest', action: 'batchDelete')

RESTful映射与ItemRestController完美结合：每种方法（show，update，save，delete）都能正确映射到正确的HTTP方法。并且额外的方法（batchDelete）也可以工作。

The RESTful mapping works perfectly with ItemRestController: every method (show, update, save, delete) is correctly mapped with the proper HTTP method. And the extra method (batchDelete) works as well.

我确保了API url，这样做：

I secured the API url, doing this:

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
     // ...
     '/something/**': ['IS_AUTHENTICATED_FULLY']
     '/api/**': ['IS_AUTHENTICATED_FULLY']
]

现在，我如果我打电话，将被重定向到登录页面：

Now, I get redirected to the login page if I call:

http://host/context/something/bla_bla

但是，如果我打电话（必要时使用适当的有效负载），则不能：

But not if I call (with the proper payload, when required):

http://host/context/api/item/batchDelete
http://host/context/api/item/1
http://host/context/api/item

我的怀疑是映射时静态规则无法正常工作其余的控制器与资源键。

My suspect is that the static rules are not working properly when mapping the rest controller with the resource key.

请注意，UrlMapping.groovy文件中没有somethingurl。

Please also note that the "something" url is not present in the UrlMapping.groovy file.

任何想法？

推荐答案

我认为你必须使用

I think you have to use

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
     '/itemrest/**': ['IS_AUTHENTICATED_FULLY'],
      //this will be redundant after the above rule I guess
     '/api/**': ['IS_AUTHENTICATED_FULLY']
]

未在urlMapping中映射的网址必须直接在规则中引用控制器。查看 警告 controllerAnnotations.staticRules 下

Urls which are not mapped in urlMapping has to refer the controller directly in the rules. Have a look at the warning under controllerAnnotations.staticRules in the docs.

为映射到
UrlMappings.groovy中的控制器映射URL，您需要保护未映射到URL的URL。对于
示例，如果您有映射到
/ foo / bar / $ action的FooBarController，则必须在
controllerAnnotations.staticRules中将其注册为/ foobar / **。这与您用于其他两种方法的映射不同，
不同，并且
是必需的，因为controllerAnnotations.staticRules项是
，就好像它们是相应控制器上的注释一样。

When mapping URLs for controllers that are mapped in UrlMappings.groovy, you need to secure the un-url-mapped URLs. For example if you have a FooBarController that you map to /foo/bar/$action, you must register that in controllerAnnotations.staticRules as /foobar/**. This is different than the mapping you would use for the other two approaches and is necessary because controllerAnnotations.staticRules entries are treated as if they were annotations on the corresponding controller.

这篇关于休息资源的Grails弹簧安全静态规则似乎无法正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！