1

I am using Grails 2.3.3 and spring-security-core:2.0-RC4 plugin.

I am trying to protect a controller action by securing it depending on the result of a method call from a service that takes a parameter. This parameter should be something inside the request parameters.

I'd like to be able to do the following:

@Secured("@mySecurityService.myCustomCheck(params.id)")
def myAction(){
    //do some things
}

I managed to be able to do the following:

@Secured("@mySecurityService.myCustomCheck()")

but now I have no idea how to access the request parameters that are sent to the controller.

Is it even architecturally possible to reference params variables inside the @Secured notation?

PS: I know you'll ask me to use spring-security-acl plugin. My problem is that it also adds a bunch of other things that I don't think I require.

dosaki
  • 113
  • 3
  • 13

1 Answers1

4

In 2.0 you can use a closure as the annotation's check; there's a brief writeup and example in the docs: https://grails-plugins.github.io/grails-spring-security-core/v2/guide/newInV2.html

You'd express your example as this:

@Secured(closure={
    ctx.mySecurityService.myCustomCheck(
       request.getParameter('id'))
})

Return true to allow access.

Note that the ApplicationContext is available as the ctx variable, and the request as request; this is in addition to the other variables and methods that are available when using SpEL (see the Spring Security docs for details). params isn't available, but you can access values using request.getParameter

RMorrisey
  • 7,637
  • 9
  • 53
  • 71
Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
  • That works but I have done it differently: I managed to call the service with `@mySecurityService`. I had tried to play around with request to see if I could get params in any way but if it isn't available then I'll have to parse the URI of the web request then. – dosaki Oct 31 '14 at 11:03
  • Maybe I didn't explain myself that well, or perhaps I'm missing something. Won't `request.getParameter('id')` only work if the parameter comes like `http://example.com/myController/myAction?id=1`? I have tried like you showed but it didn't work. My id comes like `http://example.com/myController/myAction/id`. – dosaki Oct 31 '14 at 11:18
  • 1
    Right, that would be a problem. I'll add in `params` as an available variable for 2.0 final, but for now you can access it with `request['org.codehaus.groovy.grails.WEB_REQUEST'].params` – Burt Beckwith Oct 31 '14 at 11:48
  • Thanks. You've given me enough help to make this work for now. – dosaki Oct 31 '14 at 11:55