grails-spring-security-core icon indicating copy to clipboard operation
grails-spring-security-core copied to clipboard

Published 20 hours ago verified publisher icon grails

GPSPRINGSECURITYCORE-184: Support mixing url mapping approaches (e.g. annotations + requestmaps)

Open graemerocher opened this issue 13 years ago • 2 comments

Original Reporter: burtbeckwith Environment: Not Specified Version: Not Specified Migrated From: http://jira.grails.org/browse/GPSPRINGSECURITYCORE-184

graemerocher avatar Jun 07 '12 21:06 graemerocher

cdeszaq said: In the interest of getting v2 out the door, I would rather see this issue set aside to do later, rather than hold up the release.

graemerocher avatar Jul 31 '13 06:07 graemerocher

abowsher said: For various reasons, we currently need to use the InterceptUrlMap security strategy on one application. The problem is, you can only secure entire controllers, not controller methods.

For example, just create a button with a different name than the form action (i.e. you have multiple submit buttons). The InterceptUrlMap cannot use this information.

So say you have two methods in a controller, one that is supposed to be admin-only (call it 'delete'), and each is tied to a submit button. A malicious user could easily bypass the fact that they don't see the admin-only button by simply changing the name of the button they do see to something like '_action_delete', and they are in.

This is somewhat described in http://grails.org/Spring+Security+FAQ.

Currently, we would either need to do our own checks inside the sensitive methods, or move them to a separate controller which has only admin methods in it (since we could simply secure all urls to that controller).

So it would be nice to either:

  • mix modes and annotate such methods
  • add something to Spring expressions to allow url-based security to see what the true 'action' is - or at least be able to evaluate request parameters - but I'd rather not try and guess how Spring will map the request. Note that controller interceptors in Grails are able to understand what method is really being called, if we could just plug that mechanism into the url-based security, that would be ideal.

Sorry if I should have posted the latter suggestion as a new request. JIRA is giving me issues, if I go to http://jira.grails.org/browse I get an error. If this is a duplicate, feel free to delete this comment ;-)

graemerocher avatar Aug 16 '13 05:08 graemerocher