Grails 4 中的 Spring Security 没有区分角色

tag-icon tag-icon security
Grails 4 中的 Spring Security 没有区分角色

当我尝试使用 Spring Security 时,我在 Grails 4 中遇到了麻烦。

我已经启动了一个带有 rest api 配置文件的项目,并尝试实现 Spring Security Roles 来区分对我的每个控制器方法的访问。问题是,当我请求没有令牌或使用无效令牌时(例如,如果我随机更改某些字符),我会收到禁止访问。没关系。

但是,我有两个角色:USER 和 USER_ADMIN。这就是我的问题。即使我为特定角色注释,也没关系。如果我使用对其他角色有效的令牌进行请求,则请求成功完成,但我认为正确的是收到未授权(401 或 403)。我不知道问题出在哪里,这就是我在这里寻求帮助的原因。谢谢。

我的控制器

class ApiController {

@Secured(['ROLE_ADMIN'])
def getDocument() {
    def doc = DocumentPropertiesValidationService.getDecryptedDocument(params.id);

    if (doc) {
        render doc as JSON
    } else {
        Map response = ["status": "Document " + params.id + " not found"];
        render response as JSON
    }
}

应用程序.GROOVY

  grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        [pattern: '/api/document/**',    access: ['IS_AUTHENTICATED_FULLY']],
        [pattern: '/api/**',             access: ['IS_AUTHENTICATED_FULLY']],
        [pattern: '/**',                 access: ['IS_AUTHENTICATED_FULLY']]
    ]


    grails.plugin.springsecurity.rest.token.validation.useBearerToken = true
    grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess = false


    grails.plugin.springsecurity.rest.login.useJsonCredentials  = true
    grails.plugin.springsecurity.rest.token.storage.jwt.useSignedJwt = true
    grails.plugin.springsecurity.rest.token.storage.jwt.secret = 'mySecret'
    grails.plugin.springsecurity.rest.token.storage.jwt.expiration = 60 * 60 * 24

    grails.plugin.springsecurity.securityConfigType = "Annotation"


    grails.plugin.springsecurity.filterChain.chainMap = [
            [pattern: '/api/document/**', filters: 'JOINED_FILTERS'], //,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'],
            [pattern: '/api/**', filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'],
            //[pattern: '/api/**', filters:'JOINED_FILTERS'],//,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter'],
            //[pattern: '/api/document/**', filters:'JOINED_FILTERS'],//,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter'],
            [pattern: '/**', filters:'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter']//,-restTokenValidationFilter,-restExceptionTranslationFilter']
    ]

BUILD.GRADLE SPRING 安全依赖项

compile 'org.grails.plugins:spring-security-core:4.0.0.RC2'
compile "org.grails.plugins:spring-security-rest:3.0.0.RC1"

答案1

如果我没看错的话,我刚刚遇到了这个问题。文档没有将 hasRole() 更改为 hasAuthority() 当我将注释更改为

@Secured(value=["hasAuthority('ROLE_ADMIN')"])

我得到了预期的行为。

相关内容