spring - Grails-Spring Security插件-添加 'ROLE_NO_ROLES'后用户拥有 'ROLE_ADMIN'

我正在使用Grails开发Web应用程序，并且正在尝试使用Admin Interface Plugin。为了进行测试，我使用以下代码行从BootStrap.groovy创建了一个管理员用户:

def init = { servletContext ->
    def adminUser = User.findByUsername("episo_admin_root")
        if(!adminUser){
            print "Creating admin user... "
            adminUser = new User(username: username, emailAddress: emailAddress, password: password, birthDate: new Date(1, 1, 1),
                    sex: Sex.AGENDER, enabled: true, accountConfirmed: true, accountCreationDate: new Date())
            adminUser.save(flush: true, failOnError: true)
            def auth = adminUser.addAuthority(Roles.ROLE_ADMIN)
            auth.save(flush: true, failOnError: true)
        }
}

我还添加了以下语句来检查用户是否获得了该角色:
if(adminUser.authorities.any { it.authority == Roles.ROLE_ADMIN }) println "Admin role added."
此检查通过，并且“添加了管理员角色”。打印到控制台。
这是我对Spring Security的配置:

grails.plugin.springsecurity.rejectIfNoRule = true
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.interceptUrlMap = [
                '/':                      ['permitAll'],
                '/home':                  ['permitAll'],
                '/home.gsp':              ['permitAll'],
                '/assets/**':             ['permitAll'],
                ...
                ...
                '/**/js/**':              ['permitAll'],
                '/**/css/**':             ['permitAll'],
                '/**/images/**':          ['permitAll'],
                '/**/favicon.ico':        ['permitAll'],
                '/admin/**':              ['ROLE_ADMIN']
        ]

这是我对管理界面插件的配置:

grails.plugin.admin.accessRoot = "/admin"
grails.plugin.admin.domains."Users" = [ "mypackage.User" ]
grails.plugin.admin.domains."My Groups" = [ "mypackage.Group" ]
grails.plugin.admin.domains."Security Groups" = [ 'mypackage.Authority', 'mypackage.UserAuthority' ]
grails.plugin.springsecurity.active = true
grails.plugin.springsecurity.useBasicAuth = true
grails.plugin.admin.security.role = "ROLE_ADMIN"

但是，当我以新的管理员用户身份登录并导航到“/ admin”时，我得到了Apache Tomcat的“HTTP状态403-访问被拒绝”页面，并且以下调试信息记录到了控制台:

Secure object: FilterInvocation: URL: /admin; Attributes: [ROLE_ADMIN]
Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@5ff53bc5: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@d7469d37: Username: [PROTECTED]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: [PROTECTED]; SessionId: null; Granted Authorities: ROLE_NO_ROLES

如果您在该调试信息上横向滚动，则会看到Spring Security将“授权机构”视为ROLE_NO_ROLES。

向用户添加角色时，我做错什么了吗？为什么Spring Security无法看到我已授予该用户ROLE_ADMIN？

我花了几个小时尝试调试它，但我不明白我的代码有什么问题。

最佳答案

我想到了;我从配置文件中删除了以下行，这解决了我的问题:

grails.plugin.springsecurity.useRoleGroups = true