stackoom
  简体   繁体   中英

Grails Acegi security: Problem with roles and access

 原文  2010-12-23 16:26:27       security/ grails/ spring-security/ user-roles

Question

sad end to this story

Well, as it turns out, the compareTo method in my Role class (Role implements GrantedAuthority) was returning always 0. So each user had only one role (since they are stored in a Set).

The problem

Hi everyone,

I'm having some strange behaviour in my application.

I've added a couple of fields to the User class (created by Acegi), so I can set an expired password, record last N passwords, stuff like that. We have 9 roles, ROLE_ADMIN being the "superuser" that can access all the functionality.

After deploying the app, users started complaining that they can't use it. They are able to login, but whenever they want to go somewhere, they get access denied, as if they didn't have the Role.

This happens on every User, except for the administrator (only has the ROLE_ADMIN ), included those with ( ROLE_ADMIN + other roles).

I can't even think were to start.

update

I've checked and user are coming from the database with the roles attached.

Roles are checked in the SecurityConfig.groovy file. Im afraid that the problem is elsewhere, since I have a tagged version of the project that actually works.

Here's my SecurityConfig.groovy: 

import com.mycompany.myapp.audit.Auditoria

security {

    // see DefaultSecurityConfig.groovy for all settable/overridable properties

    active = true

    loginUserDomainClass = "com.mycompany.myapp.user.User"
    authorityDomainClass = "com.mycompany.myapp.user.Role"
    requestMapClass = "com.mycompany.myapp.user.Requestmap"

    useRequestMapDomainClass = false

    /** authenticationEntryPoint */
    loginFormUrl = '/login/auth'
    forceHttps = 'false'
    ajaxLoginFormUrl = '/login/authAjax'
    authenticationFailureUrl = '/login/authfail'


    afterLogoutUrl = '/login/auth'

    requestMapString = """\
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT

            /=IS_AUTHENTICATED_REMEMBERED
            /login/auth=IS_AUTHENTICATED_ANONYMOUSLY
            /login/authajax=IS_AUTHENTICATED_ANONYMOUSLY
            /login/authfail=IS_AUTHENTICATED_ANONYMOUSLY
            /login/renew=IS_AUTHENTICATED_ANONYMOUSLY
            /js/**=IS_AUTHENTICATED_ANONYMOUSLY
            /css/**=IS_AUTHENTICATED_ANONYMOUSLY
            /images/**=IS_AUTHENTICATED_ANONYMOUSLY
            /plugins/**=IS_AUTHENTICATED_ANONYMOUSLY


            /scan/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
            /ticket/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY
            /analisis/list =ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_ADMIN
            /analisis/hazzards/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_ADMIN
            /analisis/show/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
            /analisis/create/**=ROLE_SUP_TECNICO, ROLE_ADMIN
            /analisis/edit/**=ROLE_SUP_TECNICO,ROLE_ADMIN
            /hazzardsreport/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_OP_FUNCIONAL, ROLE_REPORTE_VULNERABILIDAD, ROLE_ADMIN
            /mistaken/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
            /hazzardtype/**=ROLE_SUP_TECNICO, ROLE_ADMIN

            /** MODULO NORMAS */
            /report/**=ROLE_OP_FUNCIONAL, ROLE_ADMIN
            /norm/**=ROLE_OP_FUNCIONAL, ROLE_ADMIN

            /** TICKETS */
            /ticket/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
            /alert/**=ROLE_SUP_TECNICO, ROLE_OP_TECNICO, ROLE_ADMIN
            /ticket/uploadfile=IS_AUTHENTICATED_ANONYMOUSLY

            /** RISKS */
            /project/**=ROLE_AN_RIESGOS, ROLE_ADMIN
            /riskreport/**=ROLE_AN_RIESGOS, ROLE_ADMIN, ROLE_REPORTE_RIESGO

        /** BUSINESS CONTINUITY*/
            /projectpcn/**=ROLE_AN_PCN, ROLE_ADMIN
        /businessuniteval/** = ROLE_AN_PCN, ROLE_ADMIN
        /subprocesseval/** = ROLE_AN_PCN, ROLE_ADMIN
        /failscenario/**=ROLE_AN_PCN, ROLE_ADMIN
        /strategy/**=ROLE_AN_PCN, ROLE_ADMIN
        /test/**=ROLE_AN_PCN, ROLE_ADMIN
        /reportepcn/**=ROLE_AN_PCN, ROLE_ADMIN, ROLE_REPORTE_PCN
        /process/**=ROLE_AN_PCN, ROLE_ADMIN


        /** ADMIN */
            /user/changeent=IS_AUTHENTICATED_REMEMBERED
            /user/finduser=IS_AUTHENTICATED_REMEMBERED
            /user/**=ROLE_ADMIN
            /role/**=ROLE_ADMIN
            /requestmap/**=ROLE_ADMIN
        /empresa/**=ROLE_ADMIN
        /asset/**=ROLE_ADMIN, ROLE_SUP_TECNICO, ROLE_OP_TECNICO
        /responsable/**=ROLE_ADMIN
        /preference/**=ROLE_ADMIN
        /businessunit/**=ROLE_ADMIN, ROLE_AN_PCN


            /**=IS_AUTHENTICATED_REMEMBERED
        """


    useSecurityEventListener = true

    onInteractiveAuthenticationSuccessEvent = { e, appCtx ->
        Auditoria.log(e.getSource().getPrincipal().getDomainClass(), "Usuario autenticado - " + e.getSource().getDetails().getRemoteAddress())
    }

}

update - log verbosity and no comments/newlines

Hi, after updating my SecurityConfig.groovy , the error continues. However, I've retrived this log line. I tried to access /norm/index with a user that has all 9 roles assigned to them.

DEBUG 28/Dec/2010 00:12:57,110 [http-8080-3] Secure object: FilterInvocation: URL: /norm/index; ConfigAttributes: [ROLE_OP_FUNCIONAL,ROLE_ADMIN]

org.springframework.security.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken@a00c7ad6: Principal: com.baufest.insside.security.UserLoginDetails@0:

Username: someuser; Password:[PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_OP_TECNICO; Password: [PROTECTED]; Authenticated: true;

Details: org.springframework.security.ui.WebAuthenticationDetails@0: Granted Authorities: ROLE_OP_TECNICO

DEBUG 28/Dec/2010 00:12:57,110 [http-8080-3] org.springframework.security.ui.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler

For what I read here, it seems that my User is only getting 1 role, even though when I debug it, user.authorities has all 9 roles assigned to it.

Any thoughts will be appreciated Thanks in advance.

1 answers

solution1
 0  2010-12-23 16:40:37

EDIT --

from the documentation , the requestMapString should be of the form 

requestMapString = '''CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
                      PATTERN_TYPE_APACHE_ANT 
                      /login/**=IS_AUTHENTICATED_ANONYMOUSLY 
                      /admin/**=ROLE_USER
                      /book/test/**=IS_AUTHENTICATED_FULLY
                      /book/**=ROLE_SUPERVISOR
                   '''

a few notes:

1) You have extra newlines and comments in the request map string. The requestMapString is a multiline String (look at the '''one long string''' format), so the Acegi mechanisms are going to try and parse/use the comments.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grails, upgrading from Acegi to Spring security plugin Script level login to Grails app using Acegi security login automatically with Grails & Acegi Grails Acegi plugin annotations auto login acegi security Grails Spring Security get assigned roles to a method Grails acegi plugin user recommendation Spring Security access denied roles or what else? acegi security login without manual password entering [Spring-Flex][ACEGI] Error or no security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM