search

grails / grails-spring-security-core

Grails Spring Security Core Plugin
Apache License 2.0
260 stars 223 forks source link

Lots of warnings like 'replaced rule for ...' #452

Open azhuchkov opened 7 years ago

azhuchkov commented 7 years ago

I increased verbosity of Grails logs and got lots of warnings like this:

2016-12-06 16:02:30,541 [localhost-startStop-1] WARN  intercept.AnnotationFilterInvocationDefinition  - replaced rule for '/category/addnewcategory' with tokens [IS_AUTHENTICATED_REMEMBERED] with tokens [IS_AUTHENTICATED_REMEMBERED]

Controller method definition:

@Secured('IS_AUTHENTICATED_REMEMBERED')
def addNewCategory(String perfomSend, String category, String comment) {
    ...
}

After some investigation i found that Grails generates 2 class methods for parameterized controller actions. For this case: addNewCategory() and addNewCategory(String,String,String). Both of them are annotated and map to the same InterceptUrl. Apparently during processing collected secure URLs the plugin detects that rule is going to be overridden and warns about that. However it's just double processing for the same controller method.

The following method doesn't cause the problem:

@Secured('IS_AUTHENTICATED_REMEMBERED')
def showMe() {
  ...
}

Environment

Grails: 2.3.11 Spring Security Plugin: 2.0.0 Annotation Type: grails.plugin.springsecurity.annotation.Secured

frozenspider commented 7 years ago

+1, also bumped into that after migrating to Grails 2.5.5 Worked around that by setting log level of grails.plugin.springsecurity.web.access.intercept.AnnotationFilterInvocationDefinition to ERROR

xmas commented 7 years ago

@frozenspider Are you saying that these are ignorable?

frozenspider commented 7 years ago

Yes, seems so, although migration QA is still in progress.

ddelponte commented 7 years ago

This does not appear to be a bug, would you all agree?

frozenspider commented 7 years ago

Personally I think that WARNing user of something of no concern is a bad practice and will likely alert newcomers and inexperienced Grails devs, forcing them to lose time researching the cause and implications. Bug or not, this probably should be changed.

davidkron commented 7 years ago

I discovered this issue in Grails 3.1.x aswell.

I think the Problem has something to do with the way Grails transforms controller actions.

Example:

class MyController {

    @Secured([RoleIdentifier.USER])
    def autocomplete(String query) {
        ...
    }

When I decompile the .class file of this controller, something like this gets produced for this single action:

    @Secured({"ROLE_USER"})
    @DelegatingMethod
    public Object autocomplete(String param1) {
        // $FF: Couldn't be decompiled
    }

    @Secured({"ROLE_USER"})
    @Action(
        commandObjects = {String.class}
    )
    public Object autocomplete() {
        // $FF: Couldn't be decompiled
    }

As grails-spring-security-core uses reflection to find all actions of a controller, it finds the action "autocomplete" a second time, but produces the same URL pattern for both methods, which results in the warning mentioned.

As a fix: could it be sufficient to simply filter out actions, which are annotated with @DelegatingMethod?

vi7Ch commented 6 years ago

@davidkron the issue is still there in grails 3.3.1 , have you find a solution ? thanks

tonyerskine commented 2 years ago

I'm still seeing this in Grails 4.0.10. For now, I'm working around it by setting the log level to ERROR for that package:

In application.yml

logging.level:
  root: WARN
  grails.plugin.springsecurity.web.access.intercept: ERROR
kaymanov-emitter commented 2 years ago

I'm still seeing this in Grails 5.2.3.

I can hide the warnings by changing the log level as suggested above but it doesn't seem to be the best solution. Perhaps this message should be made a DEBUG rather than WARN.

m4rc77 commented 1 year ago

Maybe this information helps someone having this issue ... or helps fixing it ...

I have a controller that looks as follows:

@Secured(['ROLE_sysadmin'])
class AdminController {

    @Secured(['ROLE_sysadmin', 'ROLE_admin'])
    def index() {
        ...
    }

   def someOtherAction() {
      ...
    }
...
}

I got the following warnings with Grails 5.3.2

2023-03-14 15:32:04.852  WARN --- [  restartedMain] a.i.AnnotationFilterInvocationDefinition : Replaced rule for '/admin' and ConfigAttributes [ROLE_sysadmin, ROLE_admin] with ConfigAttributes [ROLE_sysadmin, ROLE_admin]
2023-03-14 15:32:04.855  WARN --- [  restartedMain] a.i.AnnotationFilterInvocationDefinition : Replaced rule for '/admin' and ConfigAttributes [ROLE_sysadmin, ROLE_admin] with ConfigAttributes [ROLE_sysadmin]
2023-03-14 15:32:04.855  WARN --- [  restartedMain] a.i.AnnotationFilterInvocationDefinition : Replaced rule for '/admin.*' and ConfigAttributes [ROLE_sysadmin, ROLE_admin] with ConfigAttributes [ROLE_sysadmin]

just renaming the index() method in the controller to start() removes the warnings!?!? 

@Secured(['ROLE_sysadmin'])
class AdminController {

    @Secured(['ROLE_sysadmin', 'ROLE_admin'])
    def start() {
        ...
    }

   def someOtherAction() {
      ...
    }
...
}

or removing the @Secured(['ROLE_sysadmin', 'ROLE_admin']) annotation and keeping the method name index() also removes the warnings!?!? 

@Secured(['ROLE_sysadmin'])
class AdminController {

    def index() {
        ...
    }

   def someOtherAction() {
      ...
    }
...
}

Not that I understand why this helps, but I was happy that the warnings were gone ...