问题描述

限时删除！！

我有一个使用Spring Security插件（版本1.2.7.3）的Grails（2.0.4）应用程序和安全的注释方法（默认的方法，更多）。

I have an Grails (2.0.4) application using Spring Security plugin (version 1.2.7.3) and the secured annotation approach (the default one, more here).

现在，我在UrlMapping.groovy中使用这些资源键或控制器/操作对的URL，如下所示：

Now, I have these URLs in UrlMapping.groovy with the resource key or the controller/action pair, like this:

"/$controller/$action?/$id?" {
        constraints {
            // apply constraints here
        }
    }

// other rules, all working properly

"/api/item/$id?"(resource: 'itemRest')
'/api/item/batch-delete'(controller: 'itemRest', action: 'batchDelete')

RESTful映射与ItemRestController完美结合：每种方法（show，update，save，delete）都能正确映射到正确的HTTP方法。并且额外的方法（batchDelete）也可以工作。

The RESTful mapping works perfectly with ItemRestController: every method (show, update, save, delete) is correctly mapped with the proper HTTP method. And the extra method (batchDelete) works as well.

我确保了API url，这样做：

I secured the API url, doing this:

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
     // ...
     '/something/**': ['IS_AUTHENTICATED_FULLY']
     '/api/**': ['IS_AUTHENTICATED_FULLY']
]

现在，我如果我打电话，将被重定向到登录页面：

Now, I get redirected to the login page if I call:

http://host/context/something/bla_bla

但是，如果我打电话（必要时使用适当的有效负载），则不能：

But not if I call (with the proper payload, when required):

http://host/context/api/item/batchDelete
http://host/context/api/item/1
http://host/context/api/item

我的怀疑是映射时静态规则无法正常工作其余的控制器与资源键。

My suspect is that the static rules are not working properly when mapping the rest controller with the resource key.

请注意，UrlMapping.groovy文件中没有somethingurl。

Please also note that the "something" url is not present in the UrlMapping.groovy file.

任何想法？

推荐答案

我认为你必须使用

I think you have to use

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
     '/itemrest/**': ['IS_AUTHENTICATED_FULLY'],
      //this will be redundant after the above rule I guess
     '/api/**': ['IS_AUTHENTICATED_FULLY']
]

未在urlMapping中映射的网址必须直接在规则中引用控制器。查看 警告 controllerAnnotations.staticRules 下

Urls which are not mapped in urlMapping has to refer the controller directly in the rules. Have a look at the warning under controllerAnnotations.staticRules in the docs.