Home/ Questions/Q 6948919
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T13:53:09+00:00

In Config.groovy I decided to secure all actions that have to do with editing

  • 0

In Config.groovy I decided to secure all actions that have to do with editing content like so:

grails.plugins.springsecurity.interceptUrlMap = [
        '/admin/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],

        '/*/create/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
        '/*/save/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
        '/*/update/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],
        '/*/edit/**' : ['ROLE_ADMIN', 'IS_AUTHENTICATED_FULLY'],

        '/contactUs/create/new_message.html' : ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/**':               ['IS_AUTHENTICATED_ANONYMOUSLY']


]

… just wonder if this is sufficient or am I asking for trouble? Or what would be better/proper way of securing all ‘create,save,update,edit’ actions in all controllers?
Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    just two thoughts…

    • what about deleting objects? I guess with this config, everybody can delete anonymously
    • and that brings me to my second point: you implement security with a black list (what are the controllers and actions which should be not accessible unauthenticated), but you should implement security through a white list (what are the controllers and actions which are accessible unauthenticated). The second aproach would have avoided the ‘delete’ problem.

    PS: I use shiro, so I have no experience with spring security and don’t know how to whitelist controllers and actions.

    • 0