Why may @Secured in Grails Spring Security be ignored?

1

votes

I'm using Grails 2.0.3 and the latest Spring Security Plugin to secure my controllers.

But somehow controllers are not secured.

import grails.plugins.springsecurity.Secured

@Secured("ROLE_USER")
class SettingsController extends UtilController {
  def index(){
    render "should not run while not logged in"
  }
}

When I am and am not logged in, I see the message. If I inject springSecurityService, it shows the correct logged in status (true/false), so the annotation is just not handled.

I've tried to add "IS_AUTHENTICATED_FULLY" requirement and to move annotation to method, it doesn't help.

What could it be related with?

grailsspring-security

5

votes

@Secured annotation accept list of roles (String[]), and I guess you have a problem with converting a string to a array of strings.

Can you try with @Secured(["ROLE_USER"])?

5

votes

Do you have something other than

    grails.plugins.springsecurity.securityConfigType = "Annotation"

In the config file?

0

votes

I've found the solution for my case. Make sure to have the filterInvocationInterceptor in your list of grails.plugins.springsecurity.filterNames in Config.groovy like in the example:

grails.plugins.springsecurity.filterChain.filterNames = [
   'securityContextPersistenceFilter', 'logoutFilter',
   'authenticationProcessingFilter', 'myCustomProcessingFilter',
   'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter',
   'exceptionTranslationFilter', 'filterInvocationInterceptor'
]

-3

votes

I think that the @secured annotation only works for the methods inside the controller not for the class.

Try to use it like this:

import grails.plugins.springsecurity.Secured

class SettingsController extends UtilController {
  @Secured(["ROLE_USER"])
  def index(){
    render "should not run while not logged in"
  }
}

Why may @Secured in Grails Spring Security be ignored?

4 Answers