我已经将Grails Spring Security插件添加到了一个脚手架Grails 2.1.1应用程序中。 我正在设置用户规则,以便只有ROLE_ADMIN用户可以编辑、删除、更新或创建。除了删除之外,我已经工作了。出于某种原因,我的ROLE_USER用户仍然可以删除。我下面的规则有什么问题吗?
grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
grails.plugins.springsecurity.interceptUrlMap = [
'/person/update/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/edit/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/delete': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/person/create': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/update/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/delete': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/edit/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/county/create': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/update/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/delete': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/edit/*': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/course/create': ['ROLE_ADMIN', 'IS_AUTHENTICATED_REMEMBERED'],
'/': ['IS_AUTHENTICATED_REMEMBERED'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
谢谢!
我在文档中谈到了这一点 - 请参阅有关actionSubmit
的警告 http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/5%20Configuring%20Request%20Mappings%20to%20Secure%20URLs.html
当你看到actionSubmit
标签发布到索引操作时,Grails根据隐藏的输入确定要转发到哪个操作,但这对Spring Security来说为时已晚。
解决方法是使用两种形式而不使用actionSubmit
。