在Spring Security Core中为Grails配置requestmap时出错

Question

In my system, I have numerous roles assigned to the users (lets assume 3 for now ROLE_ADMIN, ROLE_USER, ROLE_SERVICES ). In one of my controllers (lets assume SearchController that we have three actions serviceIndex{}, userIndex{} and adminIndex{} ), I want users of any role to be able to access two of the actions (the first two). For the final action, I want to restrict the action against a user of single role type (lets say ROLE_USER) but allow access to users of other roles (ie to ROLE_ADMIN, ROLE_SERVICE . I have something like the following in my requestmap table.

config_attribute ----------------------------------------------------------->url
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER ------------------------------> /search/serviceIndex
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER-------------------------------> /search/userIndex
ROLE_ADMIN,ROLE_SERVICE -----------------------------------------> /search/adminIndex

Since the third rule states that the url '/search/adminIndex' is not accessible to ROLE_USER, the user with that role should have been denied the authorization to access the url. But, the user can still access the url. What is the correct configuration. I did try someting like /search/adminIndex/** , but that doesn't work either. On a side note, none of the urls will have suffixes furthermore but I would still like to prevent access if users manipulate the url like adding suffixes like /search/userIndex/56a just in case.

Regards, dipess

Answer 1

Since the plugin iterates through the rules and applies the first one that matches the current URL, I would set the adminIndex first and then have a catchall for anything else.

ROLE_ADMIN,ROLE_SERVICE            /search/adminIndex
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER  /search/**