我使用grails 2.3.9和spring-security-core：2.0-RC3并使用staticRules来提高安全性.

我在Config文件中有以下安全配置：

grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.mkb.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.mkb.UserRole'
grails.plugin.springsecurity.authority.className = 'com.mkb.Role'
grails.plugin.springsecurity.useSwitchUserFilter = true
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.adh.errorPage = null
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/': ['permitAll'],
    '/index': ['permitAll'],
    '/index.gsp': ['permitAll'],
    '/**/js/**': ['permitAll'],
    '/**/css/**': ['permitAll'],
    '/**/images/**': ['permitAll'],
    '/**/favicon.ico': ['permitAll'],

    '/controllerC/**': ['ROLE_USER'],

    '/**': ['permitAll']
]

安全配置工作正常.

现在我有以下URL映射

"/test/controllerA/$action?/$id?(.${format})?"(controller: 'controllerA')
"/test/controllerB/$action?/$id?(.${format})?"(controller: 'controllerB')

我需要设置具有/ test /的URL的安全性,即,具有ROLE_ABC角色的用户可以访问URL myDomain.com/test/controllerA/**和myDomain.com/test/controllerB/**.

我试过了

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/': ['permitAll'],
    '/index': ['permitAll'],
    '/index.gsp': ['permitAll'],
    '/**/js/**': ['permitAll'],
    '/**/css/**': ['permitAll'],
    '/**/images/**': ['permitAll'],
    '/**/favicon.ico': ['permitAll'],

    '/test/**': ['ROLE_ABC'],

    '/**': ['permitAll']        
]

但这不起作用,任何用户都可以访问控制器.

我如何定义安全性？

注意： – 我不能使用@Secured注释.我只需要Config中的证券

解决方法:

您必须在静态规则中明确指定控制器,如下所示：

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    ...

    '/controllerA/**': ['ROLE_ABC'],
    '/controllerB/**': ['ROLE_ABC'],

    ....
]

我认为这正是您对控制器C的准备

'/controllerC/**': ['ROLE_USER'],

请参阅this answer for details.作为doc suggests,这也适用于插件中的控制器,如果源代码无法访问,则无法使用@Secured.