Our grails application uses ldap authentication, without any problems, now I need to prevent access, to the entire application, if a user has no specific ldap role.
I can see the role and use it in my Config.groovy annotations or secure the actions in the controllers, but instead I need a scenario/way to just show a "Denied ..." message and logout. (POST Forbidden 403).
def filters = {
loginFilter(controller:'login', action:'ajaxSuccessSproutcore') {
before = {
switch(Environment.current.name) {
case { it == 'development' || it == 'hrm'}:
if (springSecurityService.isLoggedIn() && grails.plugin.springsecurity.SpringSecurityUtils.ifAnyGranted("ROLE_ADMIN, ROLE_SEA_HRM_LOGIN")){
} else {
if (springSecurityService.isLoggedIn()) {
render ([msg:''] as JSON)
session.invalidate()
return false
}
}
break
default:
if (springSecurityService.isLoggedIn() && grails.plugin.springsecurity.SpringSecurityUtils.ifAnyGranted("ROLE_ADMIN , ROLE_USER")){
} else {
if (springSecurityService.isLoggedIn()) {
render ([msg:''] as JSON)
session.invalidate()
return false
}
}
break
}
}
after = { Map model ->
}
afterView = { Exception e ->
}
}
}
In grails 3 you can set up an Interceptor to check every request and take the appropriate action. In your case you'd want to add a check in the before block.
Edit: As Jeff Brown notes in the comments, grails 2 used Filters rather than interceptors.
Edit: Something like this in your logout logic:
...
else {
if (springSecurityService.isLoggedIn()) {
session.invalidate()
redirect action:'youShallNotPass'
return false
}
}