[英]Error configuring the requestmap in spring security core for grails
In my system, I have numerous roles assigned to the users (lets assume 3 for now ROLE_ADMIN, ROLE_USER, ROLE_SERVICES
). 在我的系统中,我为用户分配了许多角色(现在假设
ROLE_ADMIN, ROLE_USER, ROLE_SERVICES
)。 In one of my controllers (lets assume SearchController
that we have three actions serviceIndex{}, userIndex{} and adminIndex{}
), I want users of any role to be able to access two of the actions (the first two). 在我的一个控制器中(假设
SearchController
我们有三个动作serviceIndex{}, userIndex{} and adminIndex{}
),我希望任何角色的用户都可以访问其中两个动作(前两个)。 For the final action, I want to restrict the action against a user of single role type (lets say ROLE_USER) but allow access to users of other roles (ie to ROLE_ADMIN, ROLE_SERVICE
. I have something like the following in my requestmap table. 对于最后一个动作,我想将动作限制为单一角色类型的用户(让我们说ROLE_USER),但允许访问其他角色的用户(即
ROLE_ADMIN, ROLE_SERVICE
。我的ROLE_ADMIN, ROLE_SERVICE
表中有类似以下内容的内容。
config_attribute ----------------------------------------------------------->url config_attribute ------------------------------------------------- ---------->网址
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER ------------------------------> /search/serviceIndex ROLE_ADMIN,ROLE_SERVICE,ROLE_USER ------------------------------> / search / serviceIndex
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER-------------------------------> /search/userIndex ROLE_ADMIN,ROLE_SERVICE,ROLE_USER -------------------------------> / search / userIndex
ROLE_ADMIN,ROLE_SERVICE -----------------------------------------> /search/adminIndex ROLE_ADMIN,ROLE_SERVICE -----------------------------------------> / search / adminIndex
Since the third rule states that the url '/search/adminIndex' is not accessible to ROLE_USER, the user with that role should have been denied the authorization to access the url. 由于第三条规则指出ROLE_USER无法访问url'/ search / adminIndex',因此应该拒绝具有该角色的用户访问url的授权。 But, the user can still access the url.
但是,用户仍然可以访问该URL。 What is the correct configuration.
什么是正确的配置。 I did try someting like
/search/adminIndex/**
, but that doesn't work either. 我确实尝试过
/search/adminIndex/**
,但这也不起作用。 On a side note, none of the urls will have suffixes furthermore but I would still like to prevent access if users manipulate the url like adding suffixes like /search/userIndex/56a
just in case. 附带一提,所有url都没有后缀,但是如果用户操纵url之类的东西(例如添加后缀
/search/userIndex/56a
以防万一,我仍然想阻止访问。
Regards, dipess 亲切的问候
Since the plugin iterates through the rules and applies the first one that matches the current URL, I would set the adminIndex first and then have a catchall for anything else. 由于该插件会遍历规则并应用与当前URL匹配的第一个规则,因此我将首先设置adminIndex,然后对其他所有内容进行设置。
ROLE_ADMIN,ROLE_SERVICE /search/adminIndex
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER /search/**
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.