我正在尝试为grails 3.3.5提供安全插件3.2.1。
以下是我在应用程序groovy中的静态规则
[pattern: '/error', access: ['permitAll']],
[pattern: '/index', access: ['permitAll']],
[pattern: '/index.gsp', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/fonts/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/user/**', access: 'ROLE_USER'],
[pattern: '/admin/**', access:['ROLE_ADMIN','isFullyAuthenticated()']],
[pattern: '/inputParam/chipInput/', access: 'isAuthenticated()',httpMethod: 'PUT']
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none']
但它仍然允许用户和/ inputParam / chipInput / page无需登录。我已经在两个控制器中保存了注释@Secured(' ROLE_USER')。我究竟做错了什么?
答案 0 :(得分:0)
在我看来,模式可能不正确和/或访问表达式不正确。尝试将规则更改为:
[pattern: '/inputParam/chipInput', access: ["isAuthenticated() and request.getMethod().equals('PUT')"]
请参阅section on expressions in Grails Spring Security Core docs。