Grails检查特定控制器操作的角色访问权限 [英] Grails check role access for specific controller action

问题描述

我需要显示/隐藏操作按钮，具体取决于用户是否可以访问（通过角色定义）特定的控制器/操作。我正在使用Spring Security插件。

我的目标是对每个控制器的每个方法使用注解@Secured（ROLE _...），我正在寻找一种方法来检查，在调用动作之前，如果用户有权访问此特定动作。我猜测有办法检查这个，因为注释带来的信息，但我找不到任何解决方案。

在这个例子中，我试图找到HASACCESS方法：

具有@Secured注解的控制器

  class MyExampleController { 
 
 @Secured（ROLE_ADMIN）
 def myMethod（）{do stuff ..} 
 
} 
  

包含de link的HTML代码

 < role：link controller =myExampleaction =myMethod>动作< / role：link> 
  

和我的tagLib角色

  class RoleTagLib {
 static namespace =role
 
 def link = {attrs，body  - > 
 User user =（User）springSecurityService.currentUser 
 if（HASACCESS（user，attrs.controller，attrs.action））{
 out<< g.link（attrs，body）
} 
} 
} 
  

<我发现在此线程 SecurityTagLib中包含的hasAccess（）方法，但此方法受到保护，即使我用我的SecurityTagLib进行扩展时，此方法的调用也会返回没有方法的签名... 。我认为它使用了Config.groovy中定义的interceptUrlMap而不是注释。
$ b 编辑：我成功扩展了安全性tagLib并使用似乎它只使用Config.groovy中包含的interceptUrlMap，并不关心我放在控制器中的注释。

解决方案

好的我找到了一个解决方案。 SecurityTagLib中的方法hasAccess基于Config.groovy中的 grails.plugins.springsecurity.securityConfigType 。我的初始值是 SecurityConfigType.InterceptUrlMap ，然后我将定义每个可访问的URL并指定哪些角色可以在 grails.plugins.springsecurity.interceptUrlMap 中手动访问它们中的每一个

解决方案是将其更改为 SecurityConfigType.Annotation 并将 interceptUrlMap 修改为 staticRules 。然后，hasAccess方法基于控制器中定义的注释，并可以使用由SecurityTagLib包装的tagLib正确隐藏内容。

Config中有代码。 groovy

  grails.plugins.springsecurity.securityConfigType = SecurityConfigType.Annotation 
 grails.plugins.springsecurity.staticRules = [
 ...您的规则...例如：
'/ **'：['ROLE_ADMIN_ACCESS'] 
] 
  

我的tagLib的代码

 类RoleTagLib扩展了SecurityTagLib {
 
 static namespace =role
 
 def link = {attrs，body  - > 
 if（hasAccess（attrs.clone（），link））{
 out<< g.link（attrs，body）
} 
} 
} 
  

我用这个来显示或隐藏我的.gsp文件中的任何链接，这些链接基于为每个控制器的每个动作放置的@Secured注释。

 <角色：link controller =myControlleraction =myAction> 
动作
< / role：link> 
  

I need to display/hide action buttons depending if the user can access (by role definition) the specific controller/action. I'm using Spring Security plugin.

My goal is to used the annotation @Secured("ROLE_...") for every method of each of my controller and I'm looking for a way to check, before calling the action, if the user has access to this specific action. I'm guessing there is way to check this because the annotation brings the information but I cannot find any solution.

In this example I'm trying to find the HASACCESS method:

The controller with the @Secured annotation

    class MyExampleController{

      @Secured("ROLE_ADMIN")
      def myMethod(){ do stuff.. }

    }

The HTML code to include de link

    <role:link controller="myExample" action="myMethod">Action</role:link>

And my tagLib role

    class RoleTagLib {
     static namespace = "role"

      def link = {attrs, body ->
        User user = (User) springSecurityService.currentUser          
        if(HASACCESS(user, attrs.controller, attrs.action)){
          out << g.link(attrs, body)
        }
      }
    }

I found in this thread the "hasAccess()" method contained into the SecurityTagLib but this method is protected and even when I extend the SecurityTagLib with mine the call of this method returns me "No signature of method...". I think it uses the interceptUrlMap defined in Config.groovy and not the annotations anyway.

EDIT: I succeed to extend the security tagLib and use the "hasAccess" method but it seems that it uses only the interceptUrlMap contained in Config.groovy and doesn't care about the annotations I put in my controllers.

解决方案

Ok I found a solution. The method "hasAccess" in SecurityTagLib is based on grails.plugins.springsecurity.securityConfigType in Config.groovy. My initial value was SecurityConfigType.InterceptUrlMap and then I would have defined every url accessible and specify which role can access each of them manually in the grails.plugins.springsecurity.interceptUrlMap

The solution is to change this to SecurityConfigType.Annotation and modify interceptUrlMap to staticRules. Then the method "hasAccess" is based on the annotations defined in the controller and can hide properly the content with my tagLib wrapped from SecurityTagLib.

There is the code in Config.groovy

    grails.plugins.springsecurity.securityConfigType = SecurityConfigType.Annotation
    grails.plugins.springsecurity.staticRules = [
      ... your rules ... for example:
      '/**': ['ROLE_ADMIN_ACCESS'] 
    ]

The code of my tagLib

    class RoleTagLib extends SecurityTagLib {

        static namespace = "role"

        def link = { attrs, body ->
            if (hasAccess(attrs.clone(), "link")) {
                out << g.link(attrs, body)
            }
        }
    }

And I use this to show or hide any link in my .gsp files based on the @Secured annotation put for every action of every controller

    <role:link controller="myController" action="myAction">
      Action
    </role:link>

这篇关于Grails检查特定控制器操作的角色访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！