Geek Answers Handbook

Grails with SpringSecurity, check if current user can access controller / action

I'm currently developing a menu for my application, which should only display controllers that the current user can access (requestmap defined in the database).

How to check if the current user has access to a specific controller and action?

+7
spring-security grails
source share
8 answers

To test roles in sight: Spring's security plugin provides ifAllGranted, ifAnyGranted, ifNoneGranted, etc. tags for role checking

For example, to check the role of the administrator registered by the user:

<sec:ifLoggedIn> <sec:ifAllGranted roles="ROLE_ADMIN"> Admin resource </sec:ifAllGranted> </sec:ifLoggedIn>

(tested in grails-2.2.2 and springSecurityCorePlugin-1.2.7.3)

+6
source share
 org.grails.plugins.springsecurity.service.AuthenticateService authenticateService = new org.grails.plugins.springsecurity.service.AuthenticateService ()
 def isAdmin = authenticateService.ifAllGranted ('ROLE_ADMIN')

 if (isAdmin) {
    println 'I am admin'
 }
+4
source share

This question is pretty old, but I thought I would put at least an answer that seems to work with Grails 2.0. If you use the spring security plugin, it contains a lib tag called grails.plugins.springsecurity.SecurityTagLib.

The-lib tag has a protected hasAccess () method, which can accept the same parameter map as the g: link tag. So, if you extend SecurityTagLib, you can call hasAccess () and get the desired behavior. Why this is not being externalized into a service that can be introduced goes beyond me, as the functionality seems to fulfill an obvious need.

We use this to wrap the g: link tag and only to generate the user's link has access to the landing page:

 def link = { attrs, body -> if( hasAccess(attrs.clone(), "link") ) { out << g.link(attrs, body) } else { out << body() } }
+3
source share

When dealing with permissions in views and taglib, you can use AuthorizeTagLib , which is provided by the plugin.

For example, if you do not want the menu item to appear in your list for unauthenticated users, you can use:

 <g:isLoggedIn> <li>Restricted Link</li> </g:isLoggedIn>

If you have more defined roles defined and these roles are tied to your controller / action request mapping, you can use other tags, for example:

 <g:ifAllGranted role="ROLE_ADMINISTRATOR"> <li>Administrator Link</li> </g:ifAllGranted>

In my experience, there is still no good way to associate query matching with your markup - I think you will have to use some of the above tags to restrict access to content in a specific GSP.

I think that Burt Beckwith has a future modification (and currently provides ) for a plugin that combines some ACL files that may solve this problem better in the future, but at the moment I think the best approach is a hybrid query map + GSP tags.

+1
source share

Not sure if this question was originally asked, but now you can check if the user is in a specific role using SpringSecurityUtils.ifAllGranted() , which takes a single line, which is a comma-separated list of roles. It will return true if the current user belongs to all of them.

 if(SpringSecurityUtils.ifAllGranted('ROLE_ADMIN,ROLE_USER')) {

Obviously, you can just pass one role to a function if thatโ€™s all you need. SpringSecurityUtils also has methods like ifAnyGranted , ifNotGranted , etc., so it should work no matter what you try to execute.

SpringSecurityUtils is a static API, so you donโ€™t need to create a private member called SpringSecurityUtils or anything like that.

+1
source share

You need to configure the config / SecurityConfig.groovy file (if it does not exist, create it, this overrides the default security configuration)

Add a note:

 requestMapString = """\ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /=IS_AUTHENTICATED_REMEMBERED /login/auth=IS_AUTHENTICATED_ANONYMOUSLY /login/authajax=IS_AUTHENTICATED_ANONYMOUSLY /login/authfail=IS_AUTHENTICATED_ANONYMOUSLY /js/**=IS_AUTHENTICATED_ANONYMOUSLY /css/**=IS_AUTHENTICATED_ANONYMOUSLY /images/**=IS_AUTHENTICATED_ANONYMOUSLY /plugins/**=IS_AUTHENTICATED_ANONYMOUSLY /**=IS_AUTHENTICATED_REMEMBERED """

This means that you must be logged in to enter the site. But all resources (css, js, images, etc.) are available without authentication.

If you need a specific role, enter only a specific controller: For example, for UserController:

  /user/**=ROLE_ADMIN /role/**=ROLE_ADMIN

For more information: http://www.grails.org/AcegiSecurity+Plugin+-+Securing+URLs

Hi

0
source share

As far as I can tell, there is no easy way to do this.

You can introduce an instance of grails AuthenticatedVetoableDecisionManager, which is the concrete class spring AbstractAccessDecisionManager, by doing the following:

 def accessDecisionManager

It has a solution method that takes 3 parameters

 decide(Authentication authentication, Object object, ConfigAttributeDefinition config)

This is probably the method that you will need to call and pass in the correct order to find out if a user with authorization can access this "object" (which usually looks like a request / response). Some additional digging may be useful here.

In the short term, it is probably easier to use taglib ifAnyGranted, as another poster mentions.

0
source share

I'm not sure about Groovy, but in Java (so I assume Groovy too ...) you could do (minus NPE checks):

 GrantedAuthority[] authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities(); boolean isAdmin = false; for(GrantedAuthority authority : authorities) { String role = authority.getAuthority(); if(role != null && role.equals("ROLE_ADMIN")) { isAdmin = true; break; } }

As for knowing if an action is supported, you need to call the RequestMap service to get the roles to map and see if it contains the found user role.

0
source share

More articles:


All Articles