Quantcast
Grails Grails - user

Spring Security Core staticRules for multitenant app?

classic Classic list List threaded Threaded
2 messages Options
wwwclaes
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Spring Security Core staticRules for multitenant app?

wwwclaes
Hi, I have a multitenant app implemented with the hibernate-filter plugin. Users can upload files such as avatars and documents and I want to make sure these uploaded files are isolated to each tenant.

My current workaround is ugly...

controllerAnnotations.staticRules = [
  '/files/tenantX/**': ["(isAuthenticated() and principal.orgAlias == 'tenantX') or hasRole('ROLE_ADMIN')"],
  '/files/tenantY/**': ["(isAuthenticated() and principal.orgAlias == 'tenantY') or hasRole('ROLE_ADMIN')"],
  ... // Many more
]

...and I want to get rid of it. I have researched some and would like to get opinions on what might work best before I proceed. Either I protect them using a controller...

http://grails.1312388.n4.nabble.com/Problem-serving-files-through-grails-controller-td1386393.html

...or I protect them using a javax.servlet.Filter...

http://burtbeckwith.com/blog/?p=521

...or preferably there is a solution more tightly coupled with the Spring Security Core plugin?

I have also looked at tweaking the resources plugin but as far as I can see that plugin isn't meant to serve semi-static content such as files uploaded by users.

/Claes
wwwclaes
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: Spring Security Core staticRules for multitenant app?

wwwclaes
Just to follow up on my own question, I hadn't realized that staticRules with SpEL can consist of much more than just the security-related functions. So this...

controllerAnnotations.staticRules = [
  '/files/**': ["isAuthenticated() and (request.getServletPath() matches '^/files/' + principal.orgAlias + '.*') or hasRole('ROLE_ADMIN')"]
]

...has replaced my ugly workaround for keeping uploaded files isolated to each tenant.

/Claes

From: [hidden email]
To: [hidden email]
Date: Fri, 9 Dec 2011 09:11:34 +0100
Subject: [grails-user] Spring Security Core staticRules for multitenant app?

Hi, I have a multitenant app implemented with the hibernate-filter plugin. Users can upload files such as avatars and documents and I want to make sure these uploaded files are isolated to each tenant.

My current workaround is ugly...

controllerAnnotations.staticRules = [
  '/files/tenantX/**': ["(isAuthenticated() and principal.orgAlias == 'tenantX') or hasRole('ROLE_ADMIN')"],
  '/files/tenantY/**': ["(isAuthenticated() and principal.orgAlias == 'tenantY') or hasRole('ROLE_ADMIN')"],
  ... // Many more
]

...and I want to get rid of it. I have researched some and would like to get opinions on what might work best before I proceed. Either I protect them using a controller...

http://grails.1312388.n4.nabble.com/Problem-serving-files-through-grails-controller-td1386393.html

...or I protect them using a javax.servlet.Filter...

http://burtbeckwith.com/blog/?p=521

...or preferably there is a solution more tightly coupled with the Spring Security Core plugin?

I have also looked at tweaking the resources plugin but as far as I can see that plugin isn't meant to serve semi-static content such as files uploaded by users.

/Claes
Loading...
Powered by Nabble Edit this page