@Secured('permitAll') in Grails
In Grails, the @Secured annotation is used for method-level security, and @Secured('permitAll') specifically means that the method or controller action is accessible to everyone, including unauthenticated users. This annotation is part of Spring Security in Grails applications.
Why Use @Secured('permitAll')?
-
Allow Public Access
- It ensures that certain actions (e.g., login, registration, home page) are accessible without authentication.
-
Override Global Security Rules
- If a controller or service is secured globally (e.g., only authenticated users can access it), you can override it for specific methods using
permitAll.
- If a controller or service is secured globally (e.g., only authenticated users can access it), you can override it for specific methods using
-
Explicit Security Declaration
- It makes security policies clear in the codebase by explicitly stating which methods are accessible to all users.
import grails.plugin.springsecurity.annotation.Secured
class PublicController {
@Secured('permitAll')
def home() {
render "Welcome to the public page!"
}
@Secured(['ROLE_USER', 'ROLE_ADMIN'])
def dashboard() {
render "Only logged-in users can see this!"
}
}
Alternative Approach:
Instead of using @Secured('permitAll'), you can also configure security in grails-app/conf/application.groovy:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/', access: ['permitAll']],
[pattern: '/public/**', access: ['permitAll']]
]