I am using Grails v5. I have a controller where I have defaultAction like -
import grails.plugin.springsecurity.annotation.Secured
class SecureController {
static defaultAction = "list"
@Secured('ROLE_ADMIN')
def list() {
render 'Secure access only'
}
}
WITH non admin user, when I am accessing http://localhost:8080/app/secure/list URL then I am getting access denied error as expected. BUT when accessing http://localhost:8080/app/secure then I am able to access list page. This should give me access denied because default action is list which is not allowed for non admin user.
When I modified the code to -
import grails.plugin.springsecurity.annotation.Secured
class SecureController {
@Secured('ROLE_ADMIN')
def index() {
redirect action: 'list'
}
@Secured('ROLE_ADMIN')
def list() {
render 'Secure access only'
}
}
then both the URL giving me access denied with non admin user.
Looks like Grails spring security core plugin's Secured annotation not working with defaultAction.
Am I doing something wrong, or any other suggestion. Please share. Thank you!
Until spring-security-core-plugin fixes this, you can use index action to redirect to list action. This way functionality works as expected.
import grails.plugin.springsecurity.annotation.Secured
class SecureController {
@Secured('ROLE_ADMIN')
def index() {
redirect action: 'list'
}
@Secured('ROLE_ADMIN')
def list() {
render 'Secure access only'
}
}
now both the URLs giving me access denied with non-admin user.