I am using spring-security-core and I have got more than ten controllers, I want to check whether user is logged in all the actions, I know one method of doing if(springSecurityService.isLoggedIn()) in all the actions, Is there any other way to do it, Instead of writing the same logic in all the actions/controllers
If you'd like to deny access to the actions entirely, there are a few ways of doing it.
You can put the #grails.plugins.springsecurity.Secured annotation on the controller class, or action method. You can also specify what needs authentication by URL by creating a request map. You can either create a Requestmap domain object, or you can create a static request map in your Config.groovy with the grails.plugins.springsecurity.controllerAnnotations.staticRules map.
There are more details in the Spring Security Core manual.
If it were me I would take ataylors answer one step further. Do as he said, but instead of copying and pasting the same code in all of your controllers just put it in the Controller.groovy template once then run the generate-all command. Templates are very powerful for things like this, and if you keep your templates up to date you can easily change 10 controllers, or 100 controllers as needed if/when your application evolves.
How to install templates:
http://grails.org/doc/latest/ref/Command%20Line/install-templates.html
Related
I'm still pretty new to the grails framework and working on legacy application based on grails 2.
I have a domain controller allowing authenticated users to do all basic CRUD actions (create, read, update and delete), with "Read" including list and show.
I need to create another controller/view now allowing any user (non authenticated ones too) to be able to read only (list and show).
I looked around but could not find any "tuto" to do so ...then here's my question:
What would be the best approach to complete this task?
I looked into 2 options:
Option 1
Modifying the current domain controller (class level) #secured annotation in order to annotate only create, update and delete methods. I tried to do so, but it seems like I still have to authenticate which I suspect is related to SpringSecurity "grails.plugin.springsecurity.controllerAnnotations.staticRules" config that I may need to modify too.
Option 2
Create a new controller from scratch (but I guess I can't ask Grails to generate a second domain controller for the same class) then it means quite some work to build up all the data I need.
I'm not even sure if any of the 2 options above is recommended... has anyone faced this problematic (I'm sure many have) and if so ... what was the recommended approach?
Thanks.
I have a project that use the USER_ROLE to give access to different people to different parts of the project. But people still need to login.
I also have another project in C#. There is 2 copies of the same project. The public project is a copy of the main project. However, the public project is accessing the VIEWs set up from the database. It is not accessing the actual tables. So, the public project can have only read only access to a subset of the database records. It is only reading the VIEWs.
I am new to Grails. I don't know if you can set up the domain to access a view or not.
I am thinking outside the box. For your project, is it possible for you to create a new "public-read-only" project. Copy and paste the parts from the main project to the new "public-read-only" project that you want to give people to access.
In this case, your new project is a subset of the main project but it is accessing the records from the actual database tables.
What do you think?
I'm quite new into groovy / grails world, so forgive for asking simple question. I'm pretty sure this can be done by meta-programming, that is injecting method into definition of grails controller class or so. Can anyone point me where should this injection be written (Bootstrap.groovy?).
I'm trying to create currentUser() method with Spring-security-core plugin that I could use in any controller.
Your question is answered in these two posts:
How can I add common actions to controllers without using inheritance?
Add methods to controllers
However there are a couple of other approaches you might consider ...
You could just inject a "SecurityService" into controllers that need to know the current user and put "getCurrentUser" on that.
You could use a Grails filter to add "currentUser" to the params map available to all controllers. I like that approach as I usually use a filter to implement security anyway. The filter can also add it to all models prior to view rendering so all your views have access to it.
I'm working on a project in Grails 2.0.RC1 and I'd like to be able to save the scaffolded controllers and views for my domain objects to have as a "low-level", developer only access to still tinker with things while being able to develop the production version of the views and controllers (with similar names, especially for controllers). I'd like to preserve them as-is, so I can re-generate them as I make updates to the domain layer, so just moving them is most likely not going to work.
I'm hoping there's a way to do some UrlMapping magic that would let me have requests for "/mgr/book" go to the scaffolded Book controller, but "/book" would go to my production controller. I can't find anything in the docs about how to have mappings for specific groups of controllers (without specifying each controller by name versus a $controller notation).
My other thought is to turn my domain layer into a plug-in and then create a separate project that would be just for the scaffolded views. This would be easier to remove before going to production, but also seems like more work, and raises the issue of running two grails apps at the same time on the same box.
I would advance you to go like your last idea. This is also my common approach:
Create an embeddable plugin for your domain model and common services. This also includes common plugins, like spring security and stuff. This will also reduce your dependency resolution time for the main-app btw.
Create an embeddable plugin for your scaffolded views. Change the template of the scaffolded controllers to require authentication and admin-group.
Your main-app uses both plugins.
This keeps your main-app clean and simple and you can still regenerate all your scaffolded views & controllers as you wish. And at least Eclipse STS hot-deployment will still work!
However there is no simple solution for seperating your scaffolded controllers URL-wise yet.
If you are using Spring Security, you should be able to use an InterceptUrlMap or RequestMap Instances to secure the controller URLs.
If your scaffold controllers are only used for scaffolding (and don't have other actions), then you should be able to use basic Secured annotations to secure the entire controller.
Then you can use the scaffolding like normal, protected behind a login.
Other security frameworks may provide similar access control.
I would like to restrict access only for ROLE_ADMIN users to all controllers introduced by the Spring Security UI plugin in grails. (I am using grails 1.3.7, plugins.spring-security-core=1.1.3 and plugins.spring-security-ui=0.1.2)
I can run the config script and create a blank controller for each of the various controllers the ui plugin defines, and decorate that blank controller with #Secured(['ROLE_ADMIN']), but that seems like a tedious and unnecessary approach. Is there a better way?
Thanks,
Gene
Since you're using annotations, the easiest way is to use the controllerAnnotations.staticRules config option. This is for static resources and controllers like these where you shouldn't edit them (or jump through hoops to secure them).
See section "5.1 Defining Secured Annotations" in http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
The Spring Security UI plugin, among other things, provides a registration page. On this page are 4 fields: username, email, password, and verify-password. It uses a regular architecture of controller and gsps. Staying with a single page registration for the user, I need to add a bunch of fields -- e.g. address, payment info, etc.
Any thoughts / recommendations on how to extend this plugin's page, so that I can get updated versions and incorporate them without too much re-integration. It's almost like one part of the page should go to the UI controller, and the other parts of the page should go to my controller. Note the UI controller usees regular forms (i.e. not ajax).
Thanks
To custom configure the Spring Security UI plugin I'd first of all have a look at the existing plugin code to get a handle on how it works and then run the override scripts that you require as detailed at:
http://burtbeckwith.github.com/grails-spring-security-ui/docs/manual/guide/10%20Customization.html
In your case you'd need:
grails s2ui-override register com.my.packagename
Jim.
Assuming you used the s2-quickstart script to create the domain classes, controllers, and GSPs, you have 2 options for customising the User domain class
add your custom properties (address, payment info, etc.) directly to the User domain class created by the plugin
create your own User domain class that extends the one generated by the plugin. Add your custom properties to the subclass
According to this article, the latter approach is preferable because:
because it allows you to easily update the generated user domain class
if its template ever changes. It also means you don't overly pollute
your domain model with Spring Security specifics. On the downside, you
have to deal with domain class inheritance, although the cost is
pretty minimal.
You'll also need to add the custom fields to the GSPs. The controller actions probably won't require any modifications.