I am working on a grails application for the first time and I now want to protect some pages to be viewed only by admins, and give some permissions to other users.
I am using Apache Shiro plugin for grails.
My sample code in the bootstrap looks like this
class BootStrap {
def init = { servletContext ->
def adminRole
if(ShiroRole.findByName("Admin".isEmpty())){
adminRole = new ShiroRole(name: "Administrator")
adminRole.addToPermissions("*:*")
adminRole.addToPermissions("admin")
adminRole.save()
// 'user' now has all administrator rights }
if (ShiroUser.findAllByUsername("user").isEmpty()) {
def user = new ShiroUser(username: "user", passwordHash: new Sha256Hash("pass").toHex())
user.addToPermissions("*:*")
user.addToRoles(adminRole)
user.save()
}
if (ShiroUser.findAllByUsername("Guest").isEmpty()) {
def user = new ShiroUser(username: "Guest", passwordHash: new Sha256Hash("pass").toHex())
user.addToPermissions("inventory:*")
user.save()
}
}
def destroy = {
}
}
My ShiroSecurityFilters looks like
class ShiroSecurityFilters {
def filters = {
all(uri: "/**") {
before = {
// Ignore direct views (e.g. the default main index page).
if (!controllerName) return true
// Access control by convention.
accessControl()
}
}
}
}
I wanted to give to "Guest" access to inventory scaffold only. However in my application once the user "Guest" logged in its able to access other controllers butI don't want that to happen. I appreciate your help.
If there is an better of using Shiro role, access control and/or permissions, please let me know about it.
Thank you