Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Grails check role access for specific controller action

Tags:

spring

grails

spring-security

user-permissions

user-roles

I need to display/hide action buttons depending if the user can access (by role definition) the specific controller/action. I'm using Spring Security plugin.

My goal is to used the annotation @Secured("ROLE_...") for every method of each of my controller and I'm looking for a way to check, before calling the action, if the user has access to this specific action. I'm guessing there is way to check this because the annotation brings the information but I cannot find any solution.

In this example I'm trying to find the HASACCESS method:

The controller with the @Secured annotation

    class MyExampleController{

      @Secured("ROLE_ADMIN")
      def myMethod(){ do stuff.. }

    }

The HTML code to include de link

    <role:link controller="myExample" action="myMethod">Action</role:link>

And my tagLib role

    class RoleTagLib {
     static namespace = "role"

      def link = {attrs, body ->
        User user = (User) springSecurityService.currentUser          
        if(HASACCESS(user, attrs.controller, attrs.action)){
          out << g.link(attrs, body)
        }
      }
    }

I found in this thread the "hasAccess()" method contained into the SecurityTagLib but this method is protected and even when I extend the SecurityTagLib with mine the call of this method returns me "No signature of method...". I think it uses the interceptUrlMap defined in Config.groovy and not the annotations anyway.

EDIT: I succeed to extend the security tagLib and use the "hasAccess" method but it seems that it uses only the interceptUrlMap contained in Config.groovy and doesn't care about the annotations I put in my controllers.

like image 303
Guismos05 Avatar asked Mar 19 '23 03:03

Guismos05

1 Answers

Use 

<sec:ifAllGranted roles="ROLE_ADMIN,ROLE_SUPERVISOR">
  secure stuff here
</sec:ifAllGranted>

or 

<sec:ifAnyGranted roles="ROLE_ADMIN,ROLE_SUPERVISOR">
    secure stuff here
</sec:ifAnyGranted>

according the Spring Security Core Grails plugin documentation.

Or simply use the Spring security core taglib with your tag library.

class RoleTagLib {
  static namespace = "role"

  SpringSecurityService springSecurityService

  def link = { attrs, body ->
    User user = (User) springSecurityService.currentUser          
    sec.ifAnyGranted(roles: 'ROLE_ADMIN,ROLE_SUPERVISOR'){
      out << g.link(attrs, body)
    }
  }
}
like image 114
saw303 Avatar answered Mar 23 '23 14:03

saw303
Sign in to Comment

Related questions

Multi-threading with Spring batch File Item Reader
nested exception is java.lang.NoClassDefFoundError: Could not initialize class org.springframework.jdbc.support.SQLErrorCodesFactory
Define default implementation for injection in Spring?
spring batch ItemReader FlatFileItemReader set cursor to start reading from a particular line or set linestoskip dynamically
WARNING: No mapping found for HTTP request with URI [ ] in DispatcherServlet with name
Dependency injection with autowire="constructor" when multiple constructors are present?
mapping nested json and POJOs using Spring
Spring framework, @Transactional(isolation = Isolation.DEFAULT)
All Spring Framework beans get duplicated, becase of doubled context (servlet+ContextLoaderListener)
spring mvc get mapping controller method from interceptor
Flash Attribute in custom AuthenticationFailureHandler
How to pass parameters to spring webflow
Update entity from DTO with hibernate erases other fields
Querying Data with a predicate and paging using Spring Data JPA
Unable to perform insert/update/delete
Exception: Must start with Java agent to use InstrumentationLoadTimeWeaver. See Spring documentation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!