Field-level security using Grails 2.x with Spring Security plugin
Question
Is it possible to implement field-level security using the Spring Security Core plugin in Grails?
We are currently using method-level security with the @Secured annotation, but there are some users that should only be able to update some of the fields of an entity. We can use the security taglib to hide the fields that shouldn't be accessed, but this is only a client-side restriction (and therefore can be easily circumvented).
1 answers
solution1
6 ACCPTED 2014-04-09 20:17:52
The Spring Security Core plugin for Grails doesn't have any support for this, directly. However, there is nothing stopping you from writing your own security around binding.
For example, in your controller:
package com.example
import grails.plugin.springsecurity.SpringSecurityUtils
class PersonController {
...
def update() {
Person personInstance = Person.get(params.id)
if (SpringSecurityUtils.ifAllGranted('ROLE_ADMIN') {
bindData(personInstance, params) // exclude nothing
} else {
bindData(personInstance, params, [exclude: ['someSensitiveProperty', 'anotherProp']])
}
}
...
}
In theory you could even encapsulate this binding logic inside the domain class itself in binding method of your choice (eg personInstance.bindDataWithSecurity(params) )
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.