[英]Grails Acegi plugin annotations
I'm using the annotations provided by the Spring Security (AKA Acegi) plugin. 我正在使用Spring Security(AKA Acegi)插件提供的注释。 I have controller actions annotated with
我有注释的控制器动作
@Secured(['ROLE_ADMIN', 'ROLE_USER'])
To indicate that they should be available to administrators and regular users. 表示管理员和常规用户应该可以使用它们。 But now I need to indicate that an action is available to administrators and unregistered users.
但是,现在我需要指出一个操作可供管理员和未注册用户使用。 Is it possible to use annotations to indicate a user without any role, ie unregistered?
是否可以使用注释来指示没有任何角色(即未注册)的用户?
Thanks, Don 谢谢唐
The token for that is IS_AUTHENTICATED_ANONYMOUSLY which means anyone whether logged in or not. 令牌为IS_AUTHENTICATED_ANONYMOUSLY,表示无论是否登录的任何人。 IS_AUTHENTICATED_REMEMBERED means anyone logged in with a remember-me cookie or via explicit login, and IS_AUTHENTICATED_FULLY means logged in via explicit login (not using cookie).
IS_AUTHENTICATED_REMEMBERED表示使用“记住我” cookie或通过显式登录名登录的任何人,而IS_AUTHENTICATED_FULLY表示通过显式登录(不使用cookie)登录的任何人。
If you annotate your action with 如果您用
@Secured(['IS_AUTHENTICATED_ANONYMOUSLY'])
then it'll allow anyone to access that action. 那么它将允许任何人访问该操作。 You can combine these special tokens with roles, so for example to allow admin-only but force a username/password login even if the user has a remember-me cookie you'd use
您可以将这些特殊令牌与角色结合使用,例如,以允许仅管理员身份使用,但即使用户拥有您要使用的“记住我的Cookie”,也可以强制使用用户名/密码登录
@Secured(['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'])
Here's a solution that requires that you not be logged in, or that you have ROLE_ADMIN. 这是一个解决方案,要求您不登录或具有ROLE_ADMIN。 You need a custom voter that processes a new 'IS_NOT_AUTHENTICATED' token:
您需要一个处理新的“ IS_NOT_AUTHENTICATED”令牌的自定义投票器:
package com.burtbeckwith.grails.springsecurity
import org.springframework.security.Authentication
import org.springframework.security.AuthenticationTrustResolverImpl
import org.springframework.security.ConfigAttribute
import org.springframework.security.ConfigAttributeDefinition
import org.springframework.security.vote.AccessDecisionVoter
class NotLoggedInVoter implements AccessDecisionVoter {
private authenticationTrustResolver = new AuthenticationTrustResolverImpl()
int vote(Authentication authentication, object, ConfigAttributeDefinition config) {
for (configAttribute in config.configAttributes) {
if (supports(configAttribute)) {
if (authenticationTrustResolver.isAnonymous(authentication)) {
// allowed if not logged in
return ACCESS_GRANTED
}
for (authority in authentication.authorities) {
if ('ROLE_ADMIN' == authority.authority) {
// allowed if logged in as an admin
return ACCESS_GRANTED
}
}
}
}
return ACCESS_DENIED
}
boolean supports(ConfigAttribute attribute) {
'IS_NOT_AUTHENTICATED' == attribute?.attribute
}
boolean supports(Class clazz) {
true
}
}
Register this as a bean in resources.groovy: 在resources.groovy中将其注册为bean:
beans = {
notLoggedInVoter(com.burtbeckwith.grails.springsecurity.NotLoggedInVoter)
}
and add it to the voters list in SecurityConfig.groovy by setting the 'decisionVoterNames' property: 并通过设置'decisionVoterNames'属性将其添加到SecurityConfig.groovy中的投票者列表中:
decisionVoterNames = ['notLoggedInVoter', 'authenticatedVoter', 'roleVoter']
and annotate your controller action with this: 并以此注释您的控制器操作:
@Secured(['IS_NOT_AUTHENTICATED'])
and it'll only allow non-authenticated users and authenticated users with ROLE_ADMIN. 并且仅允许未经身份验证的用户和具有ROLE_ADMIN的身份验证的用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.