I’ve added the Grails Spring Security plugin to a scaffolded Grails 2.1.1 application. I am setting up user rules so that only a ROLE_ADMIN user may edit, delete, update, or create. I’ve got this working except for delete. For some reason, my ROLE_USER users are still able to delete. Is there anything wrong with my rules below?
grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
grails.plugins.springsecurity.interceptUrlMap = [
'/person/update/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/edit/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/delete': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/create': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/update/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/delete': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/edit/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/create': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/update/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/delete': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/edit/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/create': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/': ['IS_AUTHENTICATED_REMEMBERED'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
Thanks!
I talk about this in the docs – see the warning about
actionSubmitat http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/5%20Configuring%20Request%20Mappings%20to%20Secure%20URLs.htmlAs you’re seeing the
actionSubmittag posts to the index action and Grails figures out which action to forward to based on a hidden input, but that’s too late for Spring Security.The fix is to use two forms and not use
actionSubmit.