Grails Acegi安全性:角色和访问权限问题
[英]Grails Acegi security: Problem with roles and access
问题描述
sad end to this story 
这个故事的悲惨结局
Well, as it turns out, the compareTo method in my Role class (Role implements GrantedAuthority) was returning always 0. So each user had only one role (since they are stored in a Set). 好吧,事实证明,我的Role类(Role实现GrantedAuthority)中的compareTo方法始终返回0。因此,每个用户只有一个角色(因为它们存储在Set中)。
The problem 问题
Hi everyone, 嗨,大家好,
I'm having some strange behaviour in my application. 我的应用程序中有一些奇怪的行为。
I've added a couple of fields to the User class (created by Acegi), so I can set an expired password, record last N passwords, stuff like that. 我在User类(由Acegi创建)中添加了几个字段,因此我可以设置一个过期的密码,记录最后的N个密码,诸如此类。 We have 9 roles, ROLE_ADMIN being the "superuser" that can access all the functionality. 我们有9个角色, ROLE_ADMIN是可以访问所有功能的“超级用户”。
After deploying the app, users started complaining that they can't use it. 部署应用程序后,用户开始抱怨无法使用它。 They are able to login, but whenever they want to go somewhere, they get access denied, as if they didn't have the Role. 他们可以登录,但是只要他们想去某个地方,就可以拒绝访问,就好像他们没有角色一样。
This happens on every User, except for the administrator (only has the ROLE_ADMIN ), included those with ( ROLE_ADMIN + other roles). 除管理员(仅具有ROLE_ADMIN )(包括具有( ROLE_ADMIN +其他角色)的用户)之外,每个用户都会发生这种情况。
I can't even think were to start. 我什至不认为要开始。
update 更新
I've checked and user are coming from the database with the roles attached. 我已经检查过,并且用户来自具有附加角色的数据库。
Roles are checked in the SecurityConfig.groovy file. 在SecurityConfig.groovy文件中检查角色。 Im afraid that the problem is elsewhere, since I have a tagged version of the project that actually works. 我担心问题出在其他地方,因为我有一个实际工作的项目的标记版本。
Here's my SecurityConfig.groovy: 这是我的SecurityConfig.groovy:
import com.mycompany.myapp.audit.Auditoria
security {
// see DefaultSecurityConfig.groovy for all settable/overridable properties
active = true
loginUserDomainClass = "com.mycompany.myapp.user.User"
authorityDomainClass = "com.mycompany.myapp.user.Role"
requestMapClass = "com.mycompany.myapp.user.Requestmap"
useRequestMapDomainClass = false
/** authenticationEntryPoint */
loginFormUrl = '/login/auth'
forceHttps = 'false'
ajaxLoginFormUrl = '/login/authAjax'
authenticationFailureUrl = '/login/authfail'
afterLogoutUrl = '/login/auth'
requestMapString = """\
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/=IS_AUTHENTICATED_REMEMBERED
/login/auth=IS_AUTHENTICATED_ANONYMOUSLY
/login/authajax=IS_AUTHENTICATED_ANONYMOUSLY
/login/authfail=IS_AUTHENTICATED_ANONYMOUSLY
/login/renew=IS_AUTHENTICATED_ANONYMOUSLY
/js/**=IS_AUTHENTICATED_ANONYMOUSLY
/css/**=IS_AUTHENTICATED_ANONYMOUSLY
/images/**=IS_AUTHENTICATED_ANONYMOUSLY
/plugins/**=IS_AUTHENTICATED_ANONYMOUSLY
/scan/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
/ticket/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
/analisis/list =ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_ADMIN
/analisis/hazzards/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_ADMIN
/analisis/show/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/analisis/create/**=ROLE_SUP_TECNICO, ROLE_ADMIN
/analisis/edit/**=ROLE_SUP_TECNICO,ROLE_ADMIN
/hazzardsreport/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_REPORTE_VULNERABILIDAD, ROLE_ADMIN
/mistaken/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/hazzardtype/**=ROLE_SUP_TECNICO, ROLE_ADMIN
/** MODULO NORMAS */
/report/**=ROLE_OP_FUNCIONAL, ROLE_ADMIN
/norm/**=ROLE_OP_FUNCIONAL, ROLE_ADMIN
/** TICKETS */
/ticket/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/alert/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
/ticket/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
/** RISKS */
/project/**=ROLE_AN_RIESGOS, ROLE_ADMIN
/riskreport/**=ROLE_AN_RIESGOS, ROLE_ADMIN, ROLE_REPORTE_RIESGO
/** BUSINESS CONTINUITY*/
/projectpcn/**=ROLE_AN_PCN, ROLE_ADMIN
/businessuniteval/** = ROLE_AN_PCN, ROLE_ADMIN
/subprocesseval/** = ROLE_AN_PCN, ROLE_ADMIN
/failscenario/**=ROLE_AN_PCN, ROLE_ADMIN
/strategy/**=ROLE_AN_PCN, ROLE_ADMIN
/test/**=ROLE_AN_PCN, ROLE_ADMIN
/reportepcn/**=ROLE_AN_PCN, ROLE_ADMIN, ROLE_REPORTE_PCN
/process/**=ROLE_AN_PCN, ROLE_ADMIN
/** ADMIN */
/user/changeent=IS_AUTHENTICATED_REMEMBERED
/user/finduser=IS_AUTHENTICATED_REMEMBERED
/user/**=ROLE_ADMIN
/role/**=ROLE_ADMIN
/requestmap/**=ROLE_ADMIN
/empresa/**=ROLE_ADMIN
/asset/**=ROLE_ADMIN, ROLE_SUP_TECNICO, ROLE_OP_TECNICO
/responsable/**=ROLE_ADMIN
/preference/**=ROLE_ADMIN
/businessunit/**=ROLE_ADMIN, ROLE_AN_PCN
/**=IS_AUTHENTICATED_REMEMBERED
"""
useSecurityEventListener = true
onInteractiveAuthenticationSuccessEvent = { e, appCtx ->
Auditoria.log(e.getSource().getPrincipal().getDomainClass(), "Usuario autenticado - " + e.getSource().getDetails().getRemoteAddress())
}
}
update - log verbosity and no comments/newlines 更新-详细记录,无评论/换行
Hi, after updating my SecurityConfig.groovy , the error continues. 嗨,更新我的SecurityConfig.groovy ,错误继续。 However, I've retrived this log line. 但是,我已经检索了该日志行。 I tried to access /norm/index with a user that has all 9 roles assigned to them. 我尝试使用已分配了所有9个角色的用户访问/norm/index 。
DEBUG 28/Dec/2010 00:12:57,110 [http-8080-3] Secure object: FilterInvocation: URL: /norm/index;
org.springframework.security.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a00c7ad6: Principal: com.baufest.insside.security.UserLoginDetails@0:
Username: someuser;
Details: org.springframework.security.ui.WebAuthenticationDetails@0: Granted Authorities: ROLE_OP_TECNICO
DEBUG 28/Dec/2010 00:12:57,110 [http-8080-3] org.springframework.security.ui.ExceptionTranslationFilter - Access is denied (user is not anonymous);
For what I read here, it seems that my User is only getting 1 role, even though when I debug it, user.authorities has all 9 roles assigned to it. 对于我在这里阅读的内容,似乎我的User仅获得1个角色,即使在调试它时,user.authorities也分配了全部9个角色。
Any thoughts will be appreciated Thanks in advance. 任何想法将不胜感激,谢谢。
1 个解决方案
解决方案1
0 2010-12-23 16:40:37
EDIT -- 编辑-
from the documentation , the requestMapString should be of the form 从文档中 ,requestMapString的形式应为
requestMapString = '''CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login/**=IS_AUTHENTICATED_ANONYMOUSLY
/admin/**=ROLE_USER
/book/test/**=IS_AUTHENTICATED_FULLY
/book/**=ROLE_SUPERVISOR
'''
a few notes: 一些注意事项:
1) You have extra newlines and comments in the request map string. 1)您在请求映射字符串中还有多余的换行符和注释。 The requestMapString is a multiline String (look at the '''one long string''' format), so the Acegi mechanisms are going to try and parse/use the comments. requestMapString是多行字符串 (请看“一个长字符串”格式),因此Acegi机制将尝试解析/使用注释。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.