secure grails spring security controllers

Question

I am using spring security plugin in my Grails project. In order to secure the URLs, I am using interceptUrlMap.

My User and Role classes are User.groovy and Role.groovy respectively. Based on these classes, the s2-quickstart script has generated the UserController.groovy and RoleController.groovy

The problem arises when I want to secure UserController.groovy. My requirement is that I cannot permit all users to create a new user. Therefore certain actions of the UserController need to be blocked for users with the proper role privileges.

However no matter how I try to restrict access, I see that all the actions of UserController are always accessible.

Could anyone please explain where I am going wrong. Any help is highly appreciated.

Please share some code. At least `UserController.groovy` and `Config.groovy`. — emilan, Dec 09 '14 at 14:21
grails.plugin.springsecurity.interceptUrlMap = [ '/':['permitAll'], '/**/js/**':['permitAll'], '/**/css/**':['permitAll'], '/**/images/**':['permitAll'], '/**/data/**':['permitAll'], '/**/favicon.ico':['permitAll'], '/login/**':['permitAll'], '/logout/**':['permitAll'], '/user/edit/**':['ROLE_ADMIN', 'ROLE_MRU', 'ROLE_FINANCE', 'ROLE_PROCUREMENT', 'ROLE_DATABASE_ADMIN'], '/user/**':['ROLE_ADMIN'], ] — Rammohan, Dec 09 '14 at 15:05
Sorry for the way I posted the code. I did not have sufficient characters to post the entrie code — Rammohan, Dec 09 '14 at 15:06
The problem is the edit action. As you can see, I have granted permissions for ROLE_MRU to edit an user. But when I try to access the url /user/edit/1 the access is blocked. I do have a user with id 1, so the url is perfectly valid. — Rammohan, Dec 09 '14 at 15:08
As for the UserController.groovy, the control does not even reach the action. I have confirmed this by adding some print statements at the very beginning of the edit action. Nothing is printed out. So the problem has to be Config.groovy. — Rammohan, Dec 09 '14 at 15:10
@BurtBeckwith - Could you please have a look. I am unable to figure out where I am going wrong. — Rammohan, Dec 09 '14 at 15:49
Can you confirm this is not an `UrlMappings` issue? If you turn Spring Security off or just include a generic `permitAll` wildcard, is your action available and do the `println` instructions fire? — Gregor Petrin, Dec 09 '14 at 16:13
Have you mapped the securityConfigType properly? grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap" — leomeurer, Dec 09 '14 at 17:04
@Rammohan could you please edit your question and add mentioned code there :) — emilan, Dec 09 '14 at 19:26
@meurer - Yes I have mapped grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap" — Rammohan, Dec 10 '14 at 02:48

score 1 · Answer 1 · answered Dec 23 '14 at 12:39

Better use annotations instead of defining rules in Config.groovy. That helps in two ways i.e. first, hot reloading will always work and second you can override any rule easily in Config.groovy. That means you can use both annotation and plain rules in Config.groovy.

So change this in Config.groovy

grails.plugin.springsecurity.securityConfigType = "Annotation"

and start protecting your controller or actions like:

import grails.plugin.springsecurity.annotation.Secured

@Secured(["ROLE_MRU"])
class UserController {

    def edit() {
        // action code
    }

    @Secured(["ROLE_ADMIN"])
    def show() {
        // action code
    }
}

score 0 · Answer 2 · answered Dec 10 '14 at 07:40

I have managed to solve the issue. The problem was that I was editing Config.groovy while the application was still running. Hot deployment was not taking place.

Once I restarted the application, the functionality started working.

Thanks for all the help.

secure grails spring security controllers

2 Answers2