7

I'm writing a small webapp in Grails and I have the following question regarding best practices for controller design and using GORM:

I'm storing the user object in session.user. Currently all my action methods start with the following code to make sure a valid user is logged in and that the user object is fresh:

class FooController {
  def actionMethodThatRequiresAValidUser = {
    if (!session?.user) {
      redirect(controller: "authentication", action: "login")
    }
    session.user.refresh()
    ...
    /* do stuff */
    ...
  }
}

Is that best practice? Can it be done in a better and/or more concise way?

4

12 回答 12

9

Use a filter, that way you can put that same repeated code in the filter and keep your controllers focussed on the real action.

于 2009-01-27T22:23:45.290 回答
3

I think using beforeInterceptor is appropriate.And give some look at this JSecurity plugin.For user authentication jsecurity plugin is very useful.

于 2009-01-28T08:48:02.753 回答
1

You might try defining this as a filter rather than duplicating code.

于 2009-01-27T22:29:07.603 回答
1

I agree with the filter suggestions others have made. If that doesn't work for you, you could define a beforeInterceptor on your controller to minimize some duplication as well.

于 2009-01-27T22:35:23.723 回答
1

Have you gone through Spring Security Core.
It's nice framework for security purpose..

于 2013-04-23T09:09:38.693 回答
1

There is many ways Better approach is use filter (before) and put if (!session?.user) { redirect(controller: "authentication", action: "login") } this code in filter.

second thing you can use spring security plugin so that you don't have to worry about user session it will automatically control it. see http://blog.springsource.org/2010/08/11/simplified-spring-security-with-grails/ for further information about plugin

于 2013-05-06T17:00:03.423 回答
1

Have a look at the Spring Security Core Plugin which is a rich framework for security purposes. You can use the springSecurityService.isLoggedin() method after injecting the framework, but the framework provides for much finer access and privilege controls that also avoid the need for boilerplate.

于 2014-06-13T10:22:34.263 回答
1 
import grails.plugins.springsecurity.Secured

@Secured(['ROLE_ADMIN', 'ROLE_SUB_ADMIN', 'ROLE_USER'])

class DashboardController{

def create() {

    [bankInstance: new Bank(params)]

}

def save() {
    def bankInstance = new Bank(params)
    if (!bankInstance.save(flush: true)) {
        render(view: "create", model: [bankInstance: bankInstance])
        return
    }

    flash.message = message(code: 'default.created.message', args: [message(code: 'bank.label', default: 'Bank'), bankInstance.id])
    redirect(action: "show", id: bankInstance.id)
}
于 2014-09-01T11:02:37.150 回答
0

you can also try apache shiro plugin for grails

于 2013-06-10T08:52:34.497 回答
0

Use Spring Security Core.... map Role of usages(User) in the System .. Configure the Same while Installing the Plugin... and dont forget to create an Admin user on bootstrap...

于 2013-06-11T14:05:25.990 回答
0

If you aren't looking for a completely secure answer, like Spring Security Core, you can use this code from the grails documentation as a filter:

class SecurityFilters {
   def filters = {
       loginCheck(controller:'*', action:'*') {
           before = {
              if(!session.user && !actionName.equals('login')) {
                  redirect(action:'login')
                  return false
               }
           }
       }
   }
}
于 2013-12-16T22:38:47.803 回答
0

I second spring security. You are trying to reinvent the wheel here. All this has been done for you and more.

于 2013-12-27T20:49:15.707 回答