常用方法注解: @Secured(['ROLE_ADMIN']) // 只允许ROLE_ADMIN这个角色访问 def adminAction = { } @Secured(['IS_AUTHENTICATED_FULLY']) @Secured(['ROLE_USER', 'IS_AUTHENTICATED_FULLY']) 传入表达式: @PreAuthorize('permitAll()') @PreAuthorize('isFullyAuthenticated()') @PreAuthorize('isAuthenticated() and principal?.username == #note.author.username') @PostAuthorize('isAuthenticated() and principal.username == returnObject.author.username') @PreAuthorize("@securityService.canRemoveNote(#id)") @PreAuthorize("hasPermission(#id, 'com.mscharhag.Note', 'remove')") 允许非post方式注销 grails.plugin.springsecurity.logout.postOnly = false 指定加密方式 grails.plugin.springsecurity.password.algorithm = 'bcrypt' //默认为bcrypt SHA-256 pbkdf2等等
注入服务
def springSecurityService
获取登录用户
def username = springSecurityService?.principal?.username
获取登录用户角色(集合)
def roles = springSecurityService.getPrincipal().getAuthorities() //or springSecurityService.authentication.authorities //or springSecurityService?.principal?.authorities
清理requestmap缓存
springSecurityService.clearCachedRequestmaps()
gsp页面标签
//未登录 <sec:ifNotLoggedIn> 登录 </sec:ifNotLoggedIn> //已登录 <sec:ifLoggedIn> <sec:username/> </sec:ifLoggedIn> <!--同时匹配 --> <sec:ifAllGranted roles="ROLE_ADMIN,ROLE_USER"> ... </sec:ifAllGranted> <!--匹配任意一个 --> <sec:ifAnyGranted roles='ROLE_ADMIN,ROLE_USER'> ... </sec:ifAnyGranted> <!--匹配非ROLE_USER角色 --> <sec:ifNotGranted roles="ROLE_USER"> ... </sec:ifNotGranted> <!--获取当前登录用户 --> <sec:loggedInUserInfo field="username"/> <!--匹配指定角色 --> <sec:access expression="hasRole('ROLE_USER')"> I'm a user. </sec:access> <!--匹配指定请求 --> <sec:access url="/admin/user"> The requestURL is "/admin/user" </sec:access>
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!