Grails，Spring Security Core - 从应用程序中删除/登录/授权 [英] Grails, Spring Security Core - remove /login/auth from application

问题描述

我在我的Grails应用程序中安装了Spring Security Core，并使用 s2-quickstart 进行设置。我想'/'来处理登录和注销操作。这对我来说意味着没有登录的用户只能访问根页面而没有其他任何东西。实际上，除'/'以外的所有内容都应该是没有角色的用户'ROLE_ADMIN'。

我在根页面添加了登录表单，并在Config.groovy中设置了以下配置： / p>

  grails.plugin.springsecurity.auth.loginFormUrl ='/'
 grails.plugin.springsecurity.auth.ajaxLoginFormUrl = '/'
 grails.plugin.springsecurity.failureHandler.defaultFailureUrl ='/'
 grails.plugin.springsecurity.failureHandler.ajaxAuthFailUrl ='/'
 grails.plugin.springsecurity.logout.postOnly = false 
 grails.plugin.springsecurity.userLookup.userDomainClassName ='adminpanel.security.SecUser'
 grails.plugin.springsecurity.userLookup.authorityJoinClassName ='adminpanel.security.SecUserSecRole'
 grails。 plugin.springsecurity.authority.className ='adminpanel.security.SecRole'
 grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/'：['permitAll']，$ b'b'/ index'：['permitAll']，
'/index.gsp'：['permitAll']，
'/ ** / js / **'：['permitAll' ]，
'/ ** / css / **'：['permitAll']，
'/ ** / images / **'：['permitAll']，
'/ ** / favicon.ico'：['permitAll'] 
] 
  

code> @Secured（['ROLE_ADMIN']）在我的每个控制器上，并在我的index.gsp中添加了这样的内容：

 < HEAD> 
< sec：ifAllGranted roles =ROLE_ADMIN> 
< meta name =layoutcontent =main/> 
< / sec：ifAllGranted> 
< sec：ifNotGranted roles =ROLE_ADMIN> 
< meta name =layoutcontent =login/> 
< / sec：ifNotGranted> 
< title>主页 - 管理面板< / title> 
< / head> 
  

有两个问题：

1. 配置按我的预期工作，但是当我输入浏览器时： localhost：8080 / AdminPanel / login / auth 页面仍然存在而且即使被注销的用户也可以访问它。我想完全删除这个URL，无论是登录还是注销用户都不应该能够访问它。




2. 即使用户注销， / login / auth 视图是使用main布局呈现的，尽管我有上面提到的代码在我的index.gsp中，它应该将布局更改为login。为什么？
   





预先致谢！


解决方案<由于/ $ controller / $ action？/ $ id？ / login / auth UrlMappings中的$ c>映射。因此，所有控制器都自动映射。一个选择是删除这个，但这意味着你必须明确映射所有的控制器。这是有好处的，grails.org应用程序使用这种方法。





您不能取消映射自动映射控制器，但可以重新映射它发送一个404，这对用户来说看起来是一样的。一种方法是使用Grails过滤器，例如运行 grails create-filters site 并将其放入 SiteFilters.groovy ：

  package com.foo.bar 
 
 class SiteFilters {
 
 def filters = {
 loginUnmap（uri ：'/ login / **'）{
 before = {
 response.status = 404 
 false 
} 
} 
} 
 } 
  

我不是100％确定布局问题，但我认为问题在于元标记由SiteMesh专门处理。解析页面以确定要使用哪个布局，然后将部分GSP合并到布局中，因此使用< g：if> 不会像你想要的那样工作。




I installed Spring Security Core in my Grails application and set it up using s2-quickstart. I want '/' to handle login and logout actions. It means for me that user which is not logged in is able to access only root page and nothing else. Practically, everything except '/' should be blocket for users without role 'ROLE_ADMIN'.

I added login form on root page and set following configuration in Config.groovy:

grails.plugin.springsecurity.auth.loginFormUrl = '/'
grails.plugin.springsecurity.auth.ajaxLoginFormUrl = '/'
grails.plugin.springsecurity.failureHandler.defaultFailureUrl = '/'
grails.plugin.springsecurity.failureHandler.ajaxAuthFailUrl = '/'
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.userLookup.userDomainClassName = 'adminpanel.security.SecUser'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'adminpanel.security.SecUserSecRole'
grails.plugin.springsecurity.authority.className = 'adminpanel.security.SecRole'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]

I set @Secured(['ROLE_ADMIN']) on every controller of mine and added something like this to my index.gsp:

<head>
    <sec:ifAllGranted roles="ROLE_ADMIN">
        <meta name="layout" content="main"/>
    </sec:ifAllGranted>
    <sec:ifNotGranted roles="ROLE_ADMIN">
        <meta name="layout" content="login"/>
    </sec:ifNotGranted>
    <title>Home Page - Admin Panel</title>
</head>

There are two problems:

1. The configuration works as I expected, but when I type in the browser: localhost:8080/AdminPanel/login/auth the page still exists and I can access it even being logged out user. I want to remove this URL completely, either logged in or logged out user shouldn't be able to access it.

2. Even if the user is logged out, /login/auth view is rendered using "main" layout, despite the fact that I have the code I mentiond above in my index.gsp, which should change layout to "login". Why?

Thanks in advance!

解决方案

/login/auth works because of the "/$controller/$action?/$id?" mapping in UrlMappings. All controllers are auto-mapped because of this. One option is to remove this, but that means that you have to then explicitly map all controllers. There are benefits to this, and the grails.org app uses this approach.

You can't un-map an auto-mapped controller, but you can re-map it to something that sends a 404, and this looks the same to the user. One way is with a Grails filter, e.g. run grails create-filters site and put this in SiteFilters.groovy:

package com.foo.bar

class SiteFilters {

   def filters = {
      loginUnmap(uri: '/login/**') {
         before = {
            response.status = 404
            false
         }
      }
   }
}

I'm not 100% sure about the layout issue, but I think that the problem is that meta tags are handled specially by SiteMesh. The page is parsed to determine which layout to use, and then parts of your GSP are merged into the layout, so it's not surprising to me that using runtime tags like <g:if> don't work like you might want.

这篇关于Grails，Spring Security Core - 从应用程序中删除/登录/授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！