Grails Spring Security UI, user and Role management access

Question

I have installed spring-security-core & spring-security-ui. also added testuser in roleadmin.

when I run the application I get all the controllers list, Login controller worked with username & password. but When click other controller its says

'Sorry, you're not authorized to view this page.'

Do I need to add any other role to get the user and role management UI access?

plugin version.

compile ':spring-security-core:2.0-RC2' compile ":spring-security-ui:1.0-RC1"

accessing this URL: //127.0.0.1:8080/sec-test/role/search

here is my screen, after login.

Answer 1

First create your roles and test user in BootStrap.groovy:

import springsecurity.User
import springsecurity.Role
import springsecurity.UserRole

class BootStrap {

    def init = { servletContext ->

        def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush: true)
        def userRole = new Role(authority: 'ROLE_USER').save(flush: true)

        def testUser = new User(username: 'testusername', password: '1234')
        testUser.save(flush: true)

        UserRole.create testUser, adminRole, true

        assert User.count() == 1
        assert Role.count() == 2
        assert UserRole.count() == 1

    }
    def destroy = {
    }
}

Then override as suggested:

grails s2ui-override auth
grails s2ui-override layout
grails s2ui-override user package.name
grails s2ui-override role package.name

Finally added the secured annotations to your controllers, i.e.:

package springsecurity
import grails.plugin.springsecurity.annotation.Secured

@Secured(['ROLE_ADMIN'])
class RoleController extends grails.plugin.springsecurity.ui.RoleController {
}

Answer 2

better method is make anounymous registration by those instructions :

grails s2ui-override auth, grails s2ui-override layout, grails s2ui-override user com.myApp ,grails s2ui-override role com.myApp, grails s2ui-override register com.myApp

and add this to Register controller :

import grails.plugin.springsecurity.annotation.Secured

@Secured(['ROLE_ANONYMOUS'])
class RegisterController extends      grails.plugin.springsecurity.ui.RegisterController {
}

Answer 3

By default grails uses a pessimist approach for url locking, which means that it shows the same message "Sorry you are not authorized to view this URL" if that url is not explicitly white listed. Apart from adding @Secured to your controller you could also add the following to your config/conf.groovy file and white list the URL:

'/action':                    ['ROLE_ADMIN']

'/action' =

url to your action. could also be clubbed with wild cards eg:

'/**/css/**':                 ['permitAll']

['ROLE_ADMIN'] =

the role which can access the url