I am trying to use ACL plugin in my grails application. Based on the example given in this tutorial, http://grails-plugins.github.com/grails-spring-security-acl/docs/manual/guide/3.%20Tutorial.html I need to create a Service that will implement the annotations @PreAuthorize, @PostAuthorize, @PreFilter, and @PostFilter.
I wanted to implement this approach in my controllers, instead of creating services. I have tried using the @PreAuthorize at the top of my action, but it returns an error message:
Annotation @org.springframework.security.access.prepost.PreAuthorize is not allowed on element FIELD
Does this mean, @PreAuthorize annotation is not appropriate to call on each action in the controller?
Please help.
Yes, it doesn’t work on controllers, only on services (and other Spring beans). It might work on methods in 2.0 controllers since controllers are Spring beans, but I haven’t tried it.
The problem is that Spring Security knows nothing about closures since they’re a Groovy concept. They’re invoked to handle web requests by Grails, but can’t be intercepted by Spring since it only works with methods.
This is related to the issue of transactional services and closures. You cannot define a closure in a service and have it be transactional since Spring doesn’t see it. Groovy lets you call closures as if they were methods but it’s just syntactic sugar.