Menu
I am creating my first Grails app and am using the spring-security-core and spring-security-ui. I have locked down controllers that I have created in my application but there is a gaping hole left in the fact that any unauthenticated user can hit the spring-security-ui controllers. What is the proper way to limit access to those controllers to specific roles?
I am considering running s2ui-override on each of those controllers and then implementing secured annotations at the class level. Is this a sound approach?
817
I generally use annotations for application controllers and static rules in Config.groovy for the controllers provided by plugins like spring-security and spring-security-ui:
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
'/aclClass/**': ['ROLE_ADMIN'],
'/aclSid/**': ['ROLE_ADMIN'],
'/aclObjectIdentity/**': ['ROLE_ADMIN'],
'/aclEntry/**': ['ROLE_ADMIN'],
'/persistentLogin/**': ['ROLE_ADMIN'],
'/requestmap/**': ['ROLE_ADMIN'],
'/securityInfo/**': ['ROLE_ADMIN'],
'/registrationCode/**': ['ROLE_ADMIN'],
'/role/**': ['ROLE_ADMIN'],
'/user/**': ['ROLE_ADMIN'],
'/console/**': ['ROLE_ADMIN'],
'/register/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
