search

mehandih / grails-jaxrs

Automatically exported from code.google.com/p/grails-jaxrs
0 stars 0 forks source link

JAX-RS resource not secured with spring security plugin. #65

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Hello guys,

i am facing below issue. i am using grails 2.0.4 spring-security-core plugin 
and jax-rs 0.6.

i found "spring-security-core" in loadAfter(JaxrsGrailsPlugin.groovy)  
def loadAfter = ['controllers','services','spring-security-core']

But my resource are not secured yet.

I am using @secured i.e annotation based spring-security

Code Snippet to avail spring-security:

Config.grovvy:
grails.plugins.springsecurity.securityConfigType = "Annotation"

import static org.grails.jaxrs.response.Responses.*

import javax.ws.rs.Consumes
import javax.ws.rs.GET
import javax.ws.rs.Produces
import javax.ws.rs.Path
import javax.ws.rs.PathParam
import javax.ws.rs.POST
import javax.ws.rs.core.Response
import grails.plugins.springsecurity.Secured

CategoryCollectionResource.groovy:

@Path('/api/category')
@Consumes(['application/json'])
@Produces(['application/json'])
@Secured(['ROLE_ADMIN','ROLE_USER'])
class CategoryCollectionResource {

    @POST
    Response create(Category dto) {
        created dto.save()
    }

    @GET
    Response readAll() {
        ok Category.findAll()
    }

    @Path('/{id}')
    CategoryResource getResource(@PathParam('id') String id) {
        new CategoryResource(id:id)
    }

}

CategoryResource.groovy:
import static org.grails.jaxrs.response.Responses.*

import javax.ws.rs.Consumes
import javax.ws.rs.DELETE
import javax.ws.rs.GET
import javax.ws.rs.Produces
import javax.ws.rs.PUT
import javax.ws.rs.core.Response

import org.grails.jaxrs.provider.DomainObjectNotFoundException
import grails.plugins.springsecurity.Secured

@Secured(['ROLE_ADMIN','ROLE_USER'])
@Consumes(['application/xml','application/json'])
@Produces(['application/xml','application/json'])
class CategoryResource {

    def id

    @GET
    Response read() {
        def obj = Category.get(id)
        if (!obj) {
            throw new DomainObjectNotFoundException(Category.class, id)
        }
        ok obj
    }

    @PUT
    Response update(Category dto) {
        def obj = Category.get(id)
        if (!obj) {
            throw new DomainObjectNotFoundException(Category.class, id)
        }
        obj.properties = dto.properties 
        ok obj
    }

    @DELETE
    void delete() {
        def obj = Category.get(id)
        if (obj) { 
            obj.delete()
        }
    }

}

Controller are secured but Jax-rs resources are not.

Can anybody help me on this?

Thanks

Original issue reported on code.google.com by vibhuis on 21 Jun 2012 at 10:04

GoogleCodeExporter commented 8 years ago 
Attached is the folder structure of my app.

Original comment by vibhuis on 21 Jun 2012 at 10:08

Attachments:

GoogleCodeExporter commented 8 years ago 
@Secured annotations on JAX-RS resouce classes are neither supported by the 
grails-jaxrs plugin nor by any of its JAX-RS providers (Jersey, Restlet, ...).

Original comment by krass...@googlemail.com on 22 Jun 2012 at 4:46

GoogleCodeExporter commented 8 years ago 
You'll need to secure the JAX-RS controller and implement access control rules 
as shown in comment 
http://code.google.com/p/grails-jaxrs/issues/detail?id=30#c3. Hope that helps. 

Cheers, Martin

Original comment by krass...@googlemail.com on 22 Jun 2012 at 4:52