secure grails spring security controllers

Question

I am using spring security plugin in my Grails project. In order to secure the URLs, I am using interceptUrlMap.

My User and Role classes are User.groovy and Role.groovy respectively. Based on these classes, the s2-quickstart script has generated the UserController.groovy and RoleController.groovy

The problem arises when I want to secure UserController.groovy. My requirement is that I cannot permit all users to create a new user. Therefore certain actions of the UserController need to be blocked for users with the proper role privileges.

However no matter how I try to restrict access, I see that all the actions of UserController are always accessible.

Could anyone please explain where I am going wrong. Any help is highly appreciated.

Answer 1

I have managed to solve the issue. The problem was that I was editing Config.groovy while the application was still running. Hot deployment was not taking place.

Once I restarted the application, the functionality started working.

Thanks for all the help.

Answer 2

Better use annotations instead of defining rules in Config.groovy. That helps in two ways i.e. first, hot reloading will always work and second you can override any rule easily in Config.groovy. That means you can use both annotation and plain rules in Config.groovy.

So change this in Config.groovy

grails.plugin.springsecurity.securityConfigType = "Annotation"

and start protecting your controller or actions like:

import grails.plugin.springsecurity.annotation.Secured

@Secured(["ROLE_MRU"])
class UserController {

    def edit() {
        // action code
    }

    @Secured(["ROLE_ADMIN"])
    def show() {
        // action code
    }
}