Secure some, but not all pages in a Grails application with the Shiro plugin

0
votes

Might be just me, but I have a hard time understanding how to secure just some of the pages in a Grails application with the Shiro Plugin.

I use this in my security filter:

class SecurityFilters {
  def filters = {
    all(uri: "/**") {
      before = {
        // Ignore direct views (e.g. the default main index page).
        if (!controllerName) return true

        // Access control by convention.
        accessControl ( auth:false)
      }
    }
  }
}

and I have created a user in my bootstrap:

    def adminRole = new Role(name: "Administrator")
    adminRole.addToPermissions("secured1")
    adminRole.addToPermissions("secured2:create,save,edit,update")
    adminRole.save()

    def user = new User(username: "admin", passwordHash: new Sha512Hash("***").toHex())
    user.addToRoles Role.findByName('Administrator')
    user.save()

and it works. Problem is, that it also secures all controllers/actions.

I was hoping, that it would be possible to NOT specify the actions I want to protect in my SecurityFilter, but only in the permissions.. But is this possible?

1
grailsgroovyshiro

1 Answers

1
votes

The static property 'filter' allows you to define multiple filtering patterns. You can use the 'uri' parameter or the 'controller' parameter. If you use 'controller' you can also add an 'action' parameter. Each of these parameters takes a regular expression so you can do stuff like:

admin(uri:"/admin/**")
...
browseStore(controller:"store", action:"(show|list)")
...
shopStore(controller:"store", action:"*")
...

Check out http://www.grails.org/Filters for more info.