Grails spring security denying access to other plugin -



Grails spring security denying access to other plugin -

on grails 2.4.3 project i'm using spring security core plugin (2.0rc4) , plugin phone call feature flipping.

all controller correctly secured , authentication working without problems.

the "feature flipping" plugin expose /admin/feature uri allows user switch through web.

i tried configure static rules permit role_admin users access resource, i'm still getting "access denied" errors.

any ideas ?

my staticrules:

'/admin/**': ['role_admin']

springsecurity debug log:

2014-10-28 17:15:47,805 [http-bio-8080-exec-4] debug matcher.antpathrequestmatcher - request '/admin/features' matched universal pattern '/**' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 1 of 8 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug context.httpsessionsecuritycontextrepository - obtained valid securitycontext spring_security_context: 'org.springframework.security.core.context.securitycontextimpl@2116e65: authentication: org.springframework.security.authentication.usernamepasswordauthenticationtoken@2116e65: principal: [redacted].security.userdetails@f9520f8b: username: pygillier; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@255f8: remoteipaddress: 127.0.0.1; sessionid: 7ff242941b7f95fd17e97d8611b3a5cf; granted authorities: role_admin, role_user' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 2 of 8 in additional filter chain; firing filter: 'mutablelogoutfilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 3 of 8 in additional filter chain; firing filter: 'requestholderauthenticationfilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 4 of 8 in additional filter chain; firing filter: 'securitycontextholderawarerequestfilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 5 of 8 in additional filter chain; firing filter: 'grailsremembermeauthenticationfilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 6 of 8 in additional filter chain; firing filter: 'grailsanonymousauthenticationfilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 7 of 8 in additional filter chain; firing filter: 'exceptiontranslationfilter' 2014-10-28 17:15:47,806 [http-bio-8080-exec-4] debug web.filterchainproxy - /admin/features @ position 8 of 8 in additional filter chain; firing filter: 'filtersecurityinterceptor' 2014-10-28 17:15:47,807 [http-bio-8080-exec-4] debug intercept.filtersecurityinterceptor - secure object: filterinvocation: url: /admin/features; attributes: [_deny_]

i'm going give shot based on info i've gotten already. if not specifying securityconfigtype, grails spring security plugin default using annotations on controller classes. if case (or explicitly using annotations because want to), have couple of options:

set grails.plugin.springsecurity.rejectifnorule false. not recommended potentially leaves other urls not explicitly secured open all. might ok development, though. if assumptions correct, using wrong static rules configuration. if using annotations, static rules map must defined configuration item grails.plugin.springsecurity.controllerannotations.staticrules

as such, configuration should this:

grails.plugin.springsecurity.controllerannotations.staticrules = [ '/admin/**': ['role_admin'] ]

for reference, line of code gave me hint going on here. tells me spring security plugin unable find 'role_admin' attribute had defined, , rejectifnorule set true (which default).

grails spring-security grails-plugin

Comments

Post a Comment

Popular posts from this blog

Delphi change the assembly code of a running process -

Delphi change the assembly code of a running process - i'm trying alter address 00741fa5 has push test.009e721c . alter push test.009e71c8 . procedure callback; asm force $9e71c8 end; procedure tform2.btn1click(sender: tobject); var ppid :dword; pprocess : cardinal; begin getwindowthreadprocessid(findwindow(nil,pchar('test')), @ppid); pprocess := openprocess(process_all_access, false, ppid); injectasm(pprocess, $741fa5, 10, integer(@callback), 0); end; here injectasm function (with error checking) function injectasm(process: longword; injectaddress, injectsize, codeaddress, codesize : integer): pointer; var csize, rsize : integer; replaced : array of byte; jmp : array [0..4] of byte; jmpaddress : integer; nopv : byte; : integer; nbr: ulong_ptr; begin //injectsize must equal or greater 5, because need space our //(far) jmp wwxxyyzz instruction //if there's no space, inject in place of few instructions if injectsize ...
Read more

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) -

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) - hello have problem hibernate , jackson. have 2 pojos @entity @table(name = "users") public class user implements serializable { static final long serialversionuid = 4235637833262722256l; @id @generatedvalue private int id; @column(name = "creation_date") private date creationdate; @column(name = "first_name") private string firstname; @column(name = "last_name") private string lastname; @version @column(name = "version") private int version; @column(name = "e_mail") private string email; @column(name = "enabled") private boolean enabled; @column(name = "login") private string login; @column(name = "password") private string password; @jsonmanagedreference("role") @onetomany(mappedby = "user", cascade = cascadetype.all,fetch = fetchtyp...
Read more

C++ 11 "class" keyword -

C++ 11 "class" keyword - i've started using c++ 11 little bit more , have few questions on special uses of class keyword. know it's used declare class, there's 2 instances have seen don't understand: method<class t>(); and class class_name *var; why precede typename keyword class in first example, , keyword pointer in sec example? that known elaborated type specifier , necessary when class name "shadowed" or "hidden" , need explicit. class t { }; // love of god don't t t; t t2; if compiler smart, give these warnings: main.cpp:15:5: error: must utilize 'class' tag refer type 't' in scope t t2; ^ class main.cpp:14:7: note: class 't' hidden non-type declaration of 't' here t t; ^ if class not defined, deed forwards declaration. for example: template <typename t> void method() { using type = typename t::value_type; } method...
Read more