I recently upgraded a project's Grails from 1.0.5 to 1.3.7. Project has Stark-security plugin (0.4.3) in use and I'd like to replace it with Spring-security plugin (latest). I understand that Stark-security is somehow based on Spring-security.
How much Spring-security differs from Stark-security and how should I approach and resolve the issue?
Stark-security's static authorizations = [...] i开发者_JAVA技巧s used in abundance throughout the system and I just hope I don't need to reimplement the functionality with something completely different..
Stark uses Spring Security 2.0 like the Acegi plugin, and the newer Spring Security Core plugin uses Spring Security 3, so they're all using basically the same libraries under the hood.
There's no concept of a class-level security rule configuration in Spring Security Core but there are multiple approaches to specifying the rules - annotations (the default), a Map in Config.groovy
that defines all the rules, and storing rules in the database with Requestmap instances. These are described in section "5 Configuring Request Mappings to Secure URLs" at http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/
For example, here's how I'd convert the example from the Stark plugin docs to use annotations with Spring Security Core:
import grails.plugins.springsecurity.Secured
class BookController {
@Secured(['isAuthenticated()'])
def index = { Book.list() }
@Secured(['ROLE_EDITOR'])
def edit = {
// Some logic to edit a book
}
}
There is one important difference in approach between the two plugins. Stark denies access if there's no rule defined for a URL, so you need to have mappings for everything. This is safer because if you add a new controller and forget to map it, authenticated users can't access it, so it's clear that something's wrong. To enable this behavior in Spring Security Core, just add the line
grails.plugins.springsecurity.rejectIfNoRule = true
to grails-app/conf/Config.groovy
精彩评论