1

I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage). I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;

@Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])

other expressions are working fine such as the following

@Secured("authentication.name == 'sys_admin'")
@Secured("hasRole('PERM_VIEW_REPORTS')")

I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system. Thanking for any suggestions in advance.

dre
  • 1,027
  • 1
  • 11
  • 31

2 Answers2

2

This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.

I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.

EDIT:

It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().

I have forked and updated the Spring Security docs for 3.2 and sent a pull request.

dre
  • 1,027
  • 1
  • 11
  • 31
1

Please try with 

@Secured ('ROLE_USER')

If you're trying to secured with more than one Role 

@Secured(['ROLE_USER','ROLE_ADMIN'])
Dónal
  • 185,044
  • 174
  • 569
  • 824
Trainee
  • 57
  • 1
  • 7