I’m looking at this combination to develop a rather small app. I’ve followed
this link
to make them work together and while the authentication part works, the authorization doesn’t.
The author of the topic claims SpringSecurity to throw an
AccessDeniedException
when a
@Secured
service method is accessed with no rights. The problem is that no exception is thrown for me.
I have a controller as simple as this:
import grails.plugins.springsecurity.Secured
class WelcomeController {
@Secured(['ROLE_ADMIN']
)
def sayHello = {
return "Hello, ADMIN!"
}
} which is called in Vaadin
View
on
Button.ClickEvent
:
[code]
Notification.show(Grails.get(WelcomeService).sayHello())
[/code]
But each time I login with a user with
“ROLE_USER”
and click the button I get the message displayed instead af an exception.
The only solution so far was to rewrite code like this:
import grails.plugins.springsecurity.Secured
class WelcomeController {
def springSecurityService
@Secured(['ROLE_ADMIN']
)
def sayHello = {
if (!springSecurityService.getPrincipal().getAuthorities().contains(new GrantedAuthorityImpl("ROLE_ADMIN"))){
throw new AccessDeniedException("You are not authorized to do this!")
}
return "Hello, ADMIN!"
}
} and in this case the
AccessDeniedException
is thrown. But injecting springSecurityService in every service and writing this code in every method is embarassing.
Is there a way I can make
@Secured
annotation work the way it should or is there at least a cleaner way to check user authorities?