Spring Security Core Plugin

when using url with '.xml' security is bypassed

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: Grails-Spring-Security-Core 2.0
  • Labels:
    None
  • Environment:
    Grails 2.0.0

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Simone added a comment -

complete application with problem

Show
Simone added a comment - complete application with problem
Hide
Permalink
Simone added a comment -

Any news about this bug ?

Show
Simone added a comment - Any news about this bug ?
Hide
Permalink
Simone added a comment -

No news ?

Show
Simone added a comment - No news ?
Hide
Permalink
Alexandre Michetti Manduca added a comment - - edited

I have the same issue... My code is something like this:

 
@Secured(['SOME_ROLE'])
def list() {
  ...
  withFormat {
    html {
      ...
    }
    json {
      ...
    }
  }
}

Trying to access .../<controller>/list redirects me to the login page, but I'm not redirected accessing .../<controller>/list.json

I'm using:
Grails 2.0.4
Spring Security Core 1.2.7.3

Show
Alexandre Michetti Manduca added a comment - - edited I have the same issue... My code is something like this: @Secured(['SOME_ROLE']) def list() { ... withFormat { html { ... } json { ... } } } Trying to access .../<controller>/list redirects me to the login page, but I'm not redirected accessing .../<controller>/list.json I'm using: Grails 2.0.4 Spring Security Core 1.2.7.3
Hide
Permalink
Germán Sancho added a comment -

Hello,

Same problem here. Even though this can be bypassed by setting grails.mime.file.extensions = false in Config.groovy (see http://stackoverflow.com/a/8592479), this is a severe problem that should be corrected. It should be at least clearly explained in the plugin documentation.

I just realized that all the parts of my application that (I thought) were secured this way were in fact exposed to anybody adding a '.xml' at the end of the URL. Including such delicate things as the /console URL of the cosole plugin...

Show
Germán Sancho added a comment - Hello, Same problem here. Even though this can be bypassed by setting grails.mime.file.extensions = false in Config.groovy (see http://stackoverflow.com/a/8592479 ), this is a severe problem that should be corrected. It should be at least clearly explained in the plugin documentation. I just realized that all the parts of my application that (I thought) were secured this way were in fact exposed to anybody adding a '.xml' at the end of the URL. Including such delicate things as the /console URL of the cosole plugin...

People

  • Assignee:
    Burt Beckwith
    Reporter:
    Simone
Vote (4)
Watch (5)

Dates

  • Created:
    Updated:
    Resolved: