grails - 当Grails Controller 定义了 namespace 时，FilterSecurityInterceptor返回_DENY_

Question

我的环境

grails:2.3.5

spring-security-core:2.0-RC2

spring-security-ldap:2.0-RC2

spring-security-rest:1.2.3

我的简单API可以在没有 namespace 的情况下正常工作，但是当我向 Controller 添加 namespace 时，它会开始返回403。即使传递了X-Auth-Token的有效值，我也会得到403。

AuthorController.groovy

package bookstore

import grails.plugin.springsecurity.annotation.Secured import
grails.rest.RestfulController

@Secured(['IS_AUTHENTICATED_FULLY']) 
class AuthorController extends RestfulController {

  static namespace = "testing"
  static responseFormats = ['json', 'xml']

  AuthorController() {
     super(Author)
  } 
}

UrlMappings.groovy

"/authors"(resources:"author", namespace:"testing")

正在记录

我打开了安全代码的日志记录，并使用适当的 namespace 记录了以下内容:

DEBUG context.SecurityContextPersistenceFilter  - SecurityContextHolder now cleared, as request processing completed
DEBUG util.AntPathRequestMatcher  - Request '/authors' matched by universal pattern '/**'
DEBUG web.FilterChainProxy  - /authors at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG web.FilterChainProxy  - /authors at position 2 of 10 in additional filter chain; firing Filter: 'RestLogoutFilter'
DEBUG rest.RestLogoutFilter  - Actual URI is /authors; endpoint URL is /logout
DEBUG web.FilterChainProxy  - /authors at position 3 of 10 in additional filter chain; firing Filter: 'MutableLogoutFilter'
DEBUG web.FilterChainProxy  - /authors at position 4 of 10 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
DEBUG rest.RestAuthenticationFilter  - Actual URI is /authors; endpoint URL is /login
DEBUG web.FilterChainProxy  - /authors at position 5 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG web.FilterChainProxy  - /authors at position 6 of 10 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter'
DEBUG web.FilterChainProxy  - /authors at position 7 of 10 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
DEBUG web.FilterChainProxy  - /authors at position 8 of 10 in additional filter chain; firing Filter: 'RestTokenValidationFilter'
DEBUG rest.RestTokenValidationFilter  - Looking for a token value in the header 'X-Auth-Token'
DEBUG rest.RestTokenValidationFilter  - Token found: xxxxxxxxxxxxxxxxx
DEBUG rest.RestTokenValidationFilter  - Trying to authenticate the token
DEBUG rest.RestAuthenticationProvider  - Trying to validate token xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService  - Searching in Memcached for UserDetails of token xxxxxxxxxxxxxxxxx
DEBUG storage.MemcachedTokenStorageService  - UserDetails found: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: 
DEBUG rest.RestAuthenticationProvider  - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: N/A; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
DEBUG rest.RestTokenValidationFilter  - Token authenticated. Storing the authentication result in the security context
DEBUG rest.RestTokenValidationFilter  - Authentication result: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: 
DEBUG rendering.DefaultRestAuthenticationTokenJsonRenderer  - Generated JSON:
 {
   "username": "username",
   "token": "xxxxxxxxxxxxxxxxx",
   "roles": []
}
DEBUG rest.RestTokenValidationFilter  - Actual URI is /authors; validate endpoint URL is /validate
DEBUG rest.RestTokenValidationFilter  - Continuing the filter chain
DEBUG web.FilterChainProxy  - /authors at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG web.FilterChainProxy  - /authors at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /authors; Attributes: [_DENY_]
DEBUG intercept.FilterSecurityInterceptor  - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: 
in zero or more steps.
DEBUG access.ExceptionTranslationFilter  - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
Message: Access is denied
    Line | Method
->>   47 | decide             in grails.plugin.springsecurity.access.vote.AuthenticatedVetoableDecisionManager
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
|     88 | processFilterChain in com.odobo.grails.plugin.springsecurity.rest.RestTokenValidationFilter
|     58 | doFilter . . . . . in     ''
|     53 | doFilter           in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
|    108 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter
|     82 | doFilter           in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
|     66 | doFilter . . . . . in com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter
|     82 | doFilter           in com.brandseye.cors.CorsFilter
|   1145 | runWorker . . . .  in java.util.concurrent.ThreadPoolExecutor
|    615 | run                in java.util.concurrent.ThreadPoolExecutor$Worker
^    744 | run . . . . . . .  in java.lang.Thread
DEBUG context.SecurityContextPersistenceFilter  - SecurityContextHolder now cleared, as request processing completed

然后，我查看了删除了 namespace 的日志记录。在我深入到FilterSecurityInterceptor之前，一切都是相同的:

DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /authors; Attributes: [IS_AUTHENTICATED_FULLY]
DEBUG intercept.FilterSecurityInterceptor  - Previously Authenticated: com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationToken@: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@: Dn: XXXXXXX; Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: 
in zero or more steps.
DEBUG intercept.FilterSecurityInterceptor  - Authorization successful
DEBUG intercept.FilterSecurityInterceptor  - RunAsManager did not change Authentication object
DEBUG web.FilterChainProxy  - /authors reached end of additional filter chain; proceeding with original chain
DEBUG access.ExceptionTranslationFilter  - Chain processed normally
DEBUG context.SecurityContextPersistenceFilter  - SecurityContextHolder now cleared, as request processing completed

有人可以解释一下为什么当我的控件具有 namespace 时，我要拒绝吗？我想尝试对Web服务进行版本控制，这需要命名空间。我整天都在看着这东西，似乎没有任何进展。

提前致谢。

Answer 1

插件中尚不支持命名空间 Controller ，请参见http://jira.grails.org/browse/GPSPRINGSECURITYCORE-246。它可能会在2.0最终版本中实现。