0

我已将 Grails Spring Security 插件添加到脚手架 Grails 2.1.1 应用程序中。我正在设置用户规则,以便只有 ROLE_ADMIN 用户可以编辑、删除、更新或创建。除了删除之外,我已经完成了这项工作。出于某种原因,我的 ROLE_USER 用户仍然可以删除。我下面的规则有什么问题吗?

grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
grails.plugins.springsecurity.interceptUrlMap = [
'/person/update/*':     ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/edit/*':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/delete':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/create':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],

'/county/update/*':     ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/delete':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/edit/*':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/create':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],

'/course/update/*':     ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/delete':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/edit/*':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/create':       ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],

'/':                    ['IS_AUTHENTICATED_REMEMBERED'],
'/**':                  ['IS_AUTHENTICATED_ANONYMOUSLY']

]

谢谢!

4

1 回答 1

4

我在文档中谈到这一点 - 请参阅http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/5%20Configuring%20Request%20Mappings%20to%20SecureactionSubmit处的警告%20URLs.html

当您看到actionSubmit标签发布到索引操作时,Grails 会根据隐藏的输入确定要转发到哪个操作,但这对于 Spring Security 来说为时已晚。

解决方法是使用两种形式,而不是使用actionSubmit.

于 2012-12-02T03:21:00.810 回答