blocks|key|2048851|text|在安全检查之前，querystring会从url中剥离，所以我认为你需要自己显式地做这个检查。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2048852|SecurityExpressionRoot中isFullyAuthenticated()的实现是|offset|length|style|CODE|2048853|public+final+boolean+isFullyAuthenticated()+{
++++return+!trustResolver.isAnonymous(authentication)+&&+!trustResolver.isRememberMe(authentication);
}|code-block|syntax|javascript|2048854|因此，您可以依赖注入authenticationTrustResolver+bean并执行相同的检查，例如|2048855|class+MyController+{
+++def+authenticationTrustResolver
+++def+springSecurityService

+++def+action()+{

++++++if+(params.execution+==+'e*s3'+&&+!isFullyAuthenticated())+{
+++++++++response.sendError+401
+++++++++return
++++++}

++++++...
+++}

+++private+boolean+isFullyAuthenticated()+{
++++++def+authentication+=+springSecurityService.authentication
++++++!authenticationTrustResolver.isAnonymous(authentication)+&&+!authenticationTrustResolver.isRememberMe(authentication)
+++}
}|2048856|entityMap^0|0|0|M|N|M|0|0|A|R|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@$D|U|E|V|F|G]|$D|W|E|X|F|G]]|9|@]|A|$]]|$1|H|3|I|5|J|7|Y|8|@]|9|@]|A|$K|L]]|$1|M|3|N|5|6|7|Z|8|@$D|10|E|11|F|G]]|9|@]|A|$]]|$1|O|3|P|5|J|7|12|8|@]|9|@]|A|$K|L]]|$1|Q|3|-4|5|6|7|13|8|@]|9|@]|A|$]]]|R|$]]

The querystring is stripped from the url before security checks, so I think you need to do this check yourself explicitly.

The implementation of <code>isFullyAuthenticated()</code> in <code>SecurityExpressionRoot</code> is

<pre><code>public final boolean isFullyAuthenticated() {
 return !trustResolver.isAnonymous(authentication) &amp;&amp; !trustResolver.isRememberMe(authentication);
}
</code></pre>

so you can dependency-inject the <code>authenticationTrustResolver</code> bean and do the same check, e.g.

<pre><code>class MyController {
 def authenticationTrustResolver
 def springSecurityService

 def action() {

 if (params.execution == 'e*s3' &amp;&amp; !isFullyAuthenticated()) {
 response.sendError 401
 return
 }

 ...
 }

 private boolean isFullyAuthenticated() {
 def authentication = springSecurityService.authentication
 !authenticationTrustResolver.isAnonymous(authentication) &amp;&amp; !authenticationTrustResolver.isRememberMe(authentication)
 }
}
</code></pre>

blocks|key|2101671|text|或者，您可以这样做：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2101672|grails.plugin.springsecurity.interceptUrlMap+=+[
++'/myController/connect':+["(request.getParameter('execute')?:'').matches('%5Ee.*?s3\$')+?+fullyAuthenticated+:+permitAll"]
]|code-block|syntax|javascript|2101673|这个想法是为表达式公开HttpServletRequest，这样我们就可以决定是返回fullyAuthenticated还是permitAll。|2101674|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

Alternatively, you can do something like this:

<pre><code>grails.plugin.springsecurity.interceptUrlMap = [
 '/myController/connect': ["(request.getParameter('execute')?:'').matches('^e.*?s3\$') ? fullyAuthenticated : permitAll"]
]
</code></pre>

The idea is that the HttpServletRequest is exposed for the expression, so we can decide if fullyAuthenticated is returned or permitAll is returned.

blocks|key|5368563|text|难道你不能直接导入这个类并为你的用户添加这个带有匹配角色的注释到你的step的方法中吗？|type|unstyled|depth|inlineStyleRanges|entityRanges|data|5368564|import+grails.plugins.springsecurity.Secured

class+MyClass()+{

++++@Secured(['ROLE_USER'])
++++def+lastStep()+{
++++++++//+do+things
++++}

}|code-block|syntax|javascript|5368565|未通过身份验证的用户将重定向到登录页面|5368566|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

cant you just import this class and add this annotation with the matchin role for your users to be to your step´s method ? 

<pre><code>import grails.plugins.springsecurity.Secured

class MyClass() {

 @Secured(['ROLE_USER'])
 def lastStep() {
 // do things
 }

}
</code></pre>

not authenticated users will be redirected to login page

I'm using Grails 2.2.2, Spring WebFlow 2.0.0 and Spring-Security-Core 2.0-RC2 plugins. I would like to secure the final step in the flow, but have been unable.

<pre><code>grails.plugin.springsecurity.interceptUrlMap = [
 '/myController/connect?execution=e*s3': ["isFullyAuthenticated()"]
]
</code></pre>

When a user attempts to go to the final step of the flow, if they are not fully authenticated I would like to redirect them to the login page. This works fine for other actions in my project, just not the webflows.

I found some documentation suggesting that Spring Web Flows and Spring Security can be used together: <a href="http://docs.spring.io/spring-webflow/docs/2.0.x/reference/html/ch07s04.html" rel="nofollow">http://docs.spring.io/spring-webflow/docs/2.0.x/reference/html/ch07s04.html</a>.

Any ideas? Is this possiblein Grails?

Unable to secure flow step in Grails with Spring Security

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我使用的是Grails 2.2.2、SpringRC2 2.0.0和WebFlow -Security-Core2.0-RC2插件。我想确保流程中的最后一步，但一直无法完成。grails.plugin.springsecurity.interceptUrlMap = [  '/myController/connect?...

问无法使用Spring Security保护Grails中的流步骤
EN

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问无法使用Spring Security保护Grails中的流步骤EN