0

I have successfully set up my Grails application to authenticate the user.

I map controller method arguments using URL params, in my UrlMappings.groovy:

"/$source/owner/$ownerId/show"(controller:"myController", action: "show", method: "GET")

How do I get the values of $source and $ownerId in my @Secured closure?

My controller method looks like this:

@Secured(closure = {
    //null
    def testSource = params.source

    //also null
    def testOwnerId = params.ownerId

    //null
    def owner = request.ownerId

    //null
    def owner2 = request.getParameter('ownerId')

    //contains only query string params
    def grailsParams = request['org.codehaus.groovy.grails.WEB_REQUEST']?.params

    return true
})
def show(String source, String ownerId) {
    ...
}

How do I get these values? What am I doing wrong, here?

I thought that this post would provide a solution, but the answer given there didn't work for me:

Is it possible to hack the spring-security-core plugin @Secured annotation to be able to reference request params given to a controller?

I am using the following grails and plugin versions:

    grails 2.5.1
    compile ":spring-security-core:2.0-RC5"
    compile ":spring-security-rest:1.5.3", {
        excludes 'com.fasterxml.jackson.core:jackson-databind:'
    }
Community
  • 1
  • 1
RMorrisey
  • 7,637
  • 9
  • 53
  • 71
  • what happens if you simply do `def owner = request.ownerId` ? Is that also null? – Gregg Aug 03 '16 at 20:46
  • @Gregg thanks for your reply! But this also returns null. – RMorrisey Aug 03 '16 at 21:03
  • try just `println params` to see if they are at all passed. If they are, you can find out from the array values. – Mike B Aug 03 '16 at 21:18
  • @MikelisBaltruks In the context of the closure, `params` only contains the URL query string parameters, not the URL parameters specified in UrlMappings.groovy. – RMorrisey Aug 03 '16 at 21:26
  • Try printing the `request`. I might have just given you the wrong syntax. You may need to get `getAttribute` on it or something more akin to that actual `HttpServletRequest`. Based on the docs, the request object should be available in all its glory. – Gregg Aug 04 '16 at 01:27

1 Answers1

1

Brief :

Use request.getParameter

Details :

In 2.0 you can use a closure as the annotation's check; there's a brief writeup and example in the docs: https://grails-plugins.github.io/grails-spring-security-core/v2/guide/newInV2.html

You'd express your example as this:

@Secured(closure={
       request.getParameter('ownerId') >=123 //this is example
})

Return true to allow access, false to deny access.

Community
  • 1
  • 1
Abdennour TOUMI
  • 87,526
  • 38
  • 249
  • 254