tags:

views:

324

answers:

1
Q: 

Secure some, but not all pages in a Grails application with the Shiro plugin

Might be just me, but I have a hard time understanding how to secure just some of the pages in a Grails application with the Shiro Plugin.

I use this in my security filter:

class SecurityFilters {
  def filters = {
    all(uri: "/**") {
      before = {
        // Ignore direct views (e.g. the default main index page).
        if (!controllerName) return true

        // Access control by convention.
        accessControl ( auth:false)
      }
    }
  }
}

and I have created a user in my bootstrap:

    def adminRole = new Role(name: "Administrator")
    adminRole.addToPermissions("secured1")
    adminRole.addToPermissions("secured2:create,save,edit,update")
    adminRole.save()

    def user = new User(username: "admin", passwordHash: new Sha512Hash("***").toHex())
    user.addToRoles Role.findByName('Administrator')
    user.save()

and it works. Problem is, that it also secures all controllers/actions.

I was hoping, that it would be possible to NOT specify the actions I want to protect in my SecurityFilter, but only in the permissions.. But is this possible?

A: 

The static property 'filter' allows you to define multiple filtering patterns. You can use the 'uri' parameter or the 'controller' parameter. If you use 'controller' you can also add an 'action' parameter. Each of these parameters takes a regular expression so you can do stuff like:

admin(uri:"/admin/**")
...
browseStore(controller:"store", action:"(show|list)")
...
shopStore(controller:"store", action:"*")
...

Check out http://www.grails.org/Filters for more info.

Brandon  2010-02-05 14:24:10
True, but my thought was that I could define that in the addToPermissions on the role, so I do not have to do it in the SecurityFilter. But thanks for your input
sbglasius  2010-02-05 15:20:25
Filters are where access control happens. If you have some magic that allows you to apply access control by creating a permission, please share it. There is a discussion of wildcard permissions here: http://www.grails.org/plugin/shiroNotice that even though wildcard permissions might look similar to the controller:action:id layout that you are used to using in MVC that there is no relationship between these two when using the grails shiro plugin.
Brandon  2010-02-05 16:03:22
Hi Brandon: I know that the SecurityFilters are needed, but I don't want to write several of them. Just the one, and handle the rest of the permissions from the User and Role tables.
sbglasius  2010-02-08 08:45:21
I do however recognize your answer as valid :-)
sbglasius  2010-02-08 08:46:05

related questions

How do I get at the goodies in my Grails Config.groovy at runtime?
Running a web app in Grails vs Django
Adding a method to a domain class
Getting Groovy's Grape Going!!!
Groovy question: "except" syntax?
What does it mean for a programming language to be "on rails"?
Groovy parsing JSON vs XML
Parsing XML with multi-line records
How do I redirect a file download using Grails?
Create grails war without version number
What needs checking in for a Grails app?
Grails - Acegi: Customize Authentication Method
J2EE and Grails: Communication with WebServices? Which framework?
Grails 1.0.3 console reports 'premature end of file'
Grails with YUI table example
grails plugin for eclipse and netbeans 6.1
error while using groovy.sql Out parameter.
Rails books?
Rails or Grails?
Is anyone developing facebook apps on Grails
How do I increase the number of default rows per page?
How to check if element in groovy array/hash/collection/list?
How do you access two databases in Grails
How do you change the default homepage in a Grails application?
Learning Ruby on Rails any good for Grails?