Grails with SpringSecurity, check if the current user can access controller / action

Question

I\'m currently developing a menu for my application that should be able to display only the controllers that the current user can access (requestmap defined in the database).

Answer 1

When dealing with permissions in views and taglibs, you can use the AuthorizeTagLib that's provided by the plugin.

For example, if you don't want a menu item to appear in your list for unauthenticated users, you might use:

<g:isLoggedIn>
  <li>Restricted Link</li>
</g:isLoggedIn>

If you have more specific roles defined and those roles are tied to your controller/action request mapping, you can use other tags, such as:

<g:ifAllGranted role="ROLE_ADMINISTRATOR">
  <li>Administrator Link</li>
</g:ifAllGranted>

In my experience, there's not yet a good way to tie the request mapping to your markup - I think you're going to have to use some of the above tags to limit access to content within a particular GSP.

I think that Burt Beckwith has a future modification (and is currently providing a beta version) to the plugin that integrates some ACL stuff that might solve this problem better in the future, but for now, I think the best approach is a hybrid request map + GSP tags one.

Answer 2

Not sure of the situation when this question was originally asked, but now you can check to see if a user is in a specific role by using SpringSecurityUtils.ifAllGranted() which takes a single String which is a comma delimited list of roles. It will return true if the current user belongs to all of them.

if(SpringSecurityUtils.ifAllGranted('ROLE_ADMIN,ROLE_USER')) {

Obviously, you can simply pass one role to the function if that is all you need. SpringSecurityUtils also has methods like ifAnyGranted, ifNotGranted, etc, so it should work for whatever it is you are trying to accomplish.

SpringSecurityUtils is a static API, so you don't need to create a private member named springSecurityUtils or anything like that.

Answer 3

You have to configure the file config/SecurityConfig.groovy (if it does not exists, create it, this overrides the default Security Configuration)

Add this entry:

requestMapString = """\
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /=IS_AUTHENTICATED_REMEMBERED
            /login/auth=IS_AUTHENTICATED_ANONYMOUSLY
            /login/authajax=IS_AUTHENTICATED_ANONYMOUSLY
            /login/authfail=IS_AUTHENTICATED_ANONYMOUSLY 
            /js/**=IS_AUTHENTICATED_ANONYMOUSLY
            /css/**=IS_AUTHENTICATED_ANONYMOUSLY
            /images/**=IS_AUTHENTICATED_ANONYMOUSLY
            /plugins/**=IS_AUTHENTICATED_ANONYMOUSLY
            /**=IS_AUTHENTICATED_REMEMBERED
          """

This is means that you have to log in to enter the site. But all the resources (css, js, images, etc) is accessed without authentification.

If you want specific role only enter specific controller: For example, for UserController:

    /user/**=ROLE_ADMIN
    /role/**=ROLE_ADMIN 

For more information: http://www.grails.org/AcegiSecurity+Plugin+-+Securing+URLs

Regards

Answer 4

To check roles in view : Spring security plugin provides ifAllGranted, ifAnyGranted, ifNoneGranted etc., tags to check roles

For example, to check Admin Role of logged in User :

<sec:ifLoggedIn>
    <sec:ifAllGranted roles="ROLE_ADMIN">
        Admin resource
     </sec:ifAllGranted>
</sec:ifLoggedIn>

(tested in grails-2.2.2 and springSecurityCorePlugin-1.2.7.3)

Answer 5

org.grails.plugins.springsecurity.service.AuthenticateService authenticateService = new org.grails.plugins.springsecurity.service.AuthenticateService()
def isAdmin = authenticateService.ifAllGranted('ROLE_ADMIN')

if(isAdmin) {
   println 'I am Admin'
}

Answer 6

As far as I can tell, there doesn't look like there's an easy way to do it.

You can inject an instance of the grails AuthenticatedVetoableDecisionManager which is a concrete class of spring's AbstractAccessDecisionManager by doing this:

def accessDecisionManager

This has a "decide" method on it that takes 3 parameters

decide(Authentication authentication, Object object, ConfigAttributeDefinition config)

This is probably the method that you'd need to call and pass in the right things to figure out if the user with the auth creds can access that "object" (which looks like it's normally a request/response). Some additional digging around might prove out something workable here.

Short term, it's probably easier to use the ifAnyGranted taglib as another poster mentions.