在Grails 2 rc3中确保操作 [英] Securing actions in Grails 2 rc3
本文介绍了在Grails 2 rc3中确保操作的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在Config.groovy中,我决定保护所有与编辑内容有关的操作,例如:
grails.plugins .springsecurity.interceptUrlMap = [$ b $'/ admin / **':['ROLE_ADMIN','IS_AUTHENTICATED_FULLY'],
$ b $'/ * / create / **':['ROLE_ADMIN' ,'IS_AUTHENTICATED_FULLY'],
'/ * / save / **':['ROLE_ADMIN','IS_AUTHENTICATED_FULLY'],
'/ * / update / **':['ROLE_ADMIN',' IS_AUTHENTICATED_FULLY'],
'/ * / edit / **':['ROLE_ADMIN','IS_AUTHENTICATED_FULLY'],
'/contactUs/create/new_message.html':['IS_AUTHENTICATED_ANONYMOUSLY '],
'/ **':['IS_AUTHENTICATED_ANONYMOUSLY']
]
...只是想知道这是否足够或者我是否在寻求麻烦?或者,在所有控制器中保护所有创建,保存,更新,编辑动作的更好/正确的方法是什么?
在此先感谢。
解决方案
- 删除对象怎么办?我想用这个配置,每个人都可以匿名删除
- ,这让我想到了第二点:你用黑名单实现安全性(控制器和操作应该是不可访问的),但是你应该通过一个白名单实现安全性(什么是可以访问的未认证的控制器和动作)。第二种方法可以避免'删除'问题。
PS:我使用shiro,所以我没有弹簧安全方面的经验,不知道如何将控制器和操作列入白名单。
In Config.groovy I decided to secure all actions that have to do with editing content like so:
grails.plugins.springsecurity.interceptUrlMap = [
'/admin/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
'/*/create/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
'/*/save/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
'/*/update/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
'/*/edit/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
'/contactUs/create/new_message.html' : ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
... just wonder if this is sufficient or am I asking for trouble? Or what would be better/proper way of securing all 'create,save,update,edit' actions in all controllers? Thanks in advance.
解决方案
just two thoughts...
- what about deleting objects? I guess with this config, everybody can delete anonymously
- and that brings me to my second point: you implement security with a black list (what are the controllers and actions which should be not accessible unauthenticated), but you should implement security through a white list (what are the controllers and actions which are accessible unauthenticated). The second aproach would have avoided the 'delete' problem.
PS: I use shiro, so I have no experience with spring security and don't know how to whitelist controllers and actions.
这篇关于在Grails 2 rc3中确保操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
