在Grails中使用Pre / Post Spring-Security批注 [英] Using Pre/Post Spring-Security Annotations with Grails
问题描述
我正在使用Grails Spring-Security Plugin和Spring-Security-Core-1.0.1开发一个Grails(1.3.3版)Web应用程序,而Spring-Security-Core-1.0.1又使用spring-security-3.0.2。
我想为控制器中的操作提供基于Spring-Security注解的访问控制。
<我已经能够使用以下注释成功进行基本身份验证:
@Secured(hasAnyRole('ROLE_USER') )
def list = {
...
}
这是有效的 - 只为具有ROLE_USER角色的用户提供对 list action / view的访问。然而,允许哪些角色执行某些控制器操作的集合可能随时间而改变,并且是系统总体状态的函数。也就是说,允许执行给定操作的角色集合可能会由服务或域对象方法返回。
一种方法可能能够执行某些操作这将是使用Spring-Security的基于表达式的访问控制(@Pre和@Post注释),类似于
pre> @PreAuthorize(hasPermission(#contact,'admin'))
public void deletePermission(Contact contact,Sid recipient,Permission permission);
在访问控制决策的例子中,可以访问发送给方法的对象(例如联系人)使用#contact语法。然而,我无法获得@PreAuthorize(或@RolesAllowed)注解来处理Grails控制器操作。如果我使用@PreAuthorize(而不是@Secured,如上所述)注释 list 动作,我会得到以下错误:
注释
@ org.springframework.security.access.prepost.PreAuthorize
不允许使用元素FIELD
这并不奇怪 - 该操作是Groovy闭包(带有可执行代码的字段),而不是方法。但是,我也尝试在方法中使用注解,从闭包调用,如:
def list = {
testMethod()
....
}
@PreAuthorize(hasRole('ROLE_USER'))
public boolean testMethod(){
printlntestMethod succeess
return true;
}
虽然这不会引发任何错误,但它也不会显示提供任何访问控制。 (无论用户是否具有ROLE_USER,都会打印testMethod成功)。
所以,我尝试了一些不同的东西(并阅读文档),但避难所我们无法找到一种使用Grails控制器操作使用@PreAuthorize批注的好方法。这可能吗?在Grails应用程序中使用Spring-Security-Annotations提供访问控制是一种系统状态的函数吗?
您需要使用 ACL插件来使用这些注释,但出于您指出的原因,他们不会在控制器操作上工作。 @Secured的工作原理是我创建了一个Spring Security注解的副本,它允许将它放在字段以及方法和类上,我会查找它们并明确地将它们连接起来。您需要使用您通过控制器拨打的注释服务。
I'm developing a Grails (Version 1.3.3) Web-Application using the Grails Spring-Security Plugin, Spring-Security-Core-1.0.1 (which, in turn, uses spring-security-3.0.2.RELEASE).
I would like to provide Spring-Security annotation-based access control on actions within a controller.
I have been able to successfully do basic authentication using the following annotations:
@Secured("hasAnyRole('ROLE_USER')")
def list = {
...
}
This works - providing access to the list action/view only to those with the ROLE_USER role.
However, the set of which roles are allowed to perform certain controller-actions may change over time and is a function of the system's overall state. That is, the set of roles allowed to perform a given action might be returned by a service or domain-object method.
One way I might be able to do something like this would be to use Spring-Security's "Expression Based Access Control" (@Pre and @Post annotations), something like the example at the Spring Security Documentation:
@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);
In this example for access control decisions, one can gain access to the objects sent to the method (eg contact) using the #contact syntax.
However, I can't get @PreAuthorize (or @RolesAllowed) annotations to work on a Grails controller-action. If I annotate the list action with @PreAuthorize (rather than @Secured, as above), I get the following error:
Annotation @org.springframework.security.access.prepost.PreAuthorize is not allowed on element FIELD
This isn't surprising -- the action is a Groovy closure (a field with executable code), rather than a method. However, I've also tried using the annotation on methods, called from the closure, like:
def list = {
testMethod()
....
}
@PreAuthorize("hasRole('ROLE_USER')")
public boolean testMethod(){
println "testMethod succeess"
return true;
}
While this doesn't throw any errors, it also doesn't appear to provide any access control. ("testMethod success" is printed whether or not the user has ROLE_USER).
So, I've tried a few different things (and read the documentation), but haven't been able to work out a nice way of using @PreAuthorize annotations with a Grails controller-action. Is this possible? Is there a better way in a Grails app to use Spring-Security-Annotations to provide access-control that is a function of the state of the system?
You need to use the ACL plugin to use those annotations, but they won't work on controller actions for the reasons you point out. @Secured works because I created a copy of the Spring Security annotation that allows it to be placed on fields as well as methods and classes, and I look for them and wire them up explicitly. You'll need to use annotated services that you call from your controllers.
这篇关于在Grails中使用Pre / Post Spring-Security批注的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
