sec:access incorrectly allowing access II #526
Description
Reference: #506
I am running Grails 3.3.2 with org.grails.plugins:spring-security-core:3.2.0
I have an "Admin" view/controller which I have previously secured to allow only member of an "ops" group (Admins) to access. Prior to my upgrade from Grails 2.5.1 to Grails 3.3.2, my "<sec:access controller="admin">" tag would not render the specific tags if the logged in user was a member of the required group.
After my Grails 3.3.2 upgrade with the specified Grails plugin for Spring Security Core, my sec:access tags are still rendering the links despite the logged in user not belonging to the appropriate group. But, if the user clicks on the link, they do get a security exception.
It appears that the URL being evaluated for sec:access and for access are different and causing a problem. See the attached log entries.
My problematic user belongs to a "document processing" group, not a "ops" (Admin) group. My intercept map has the following:
grails.plugin.springsecurity.interceptUrlMap = [ ...
[pattern: '/admin/**' , access: ['ROLE_GRP_RSD_OPS_SUPPORT']],
...
[pattern: '/**' , access: ['ROLE_GRP_RSD_APP_USERS']]
]
members of the OPS SUPPORT group should have access to the Admin functions. All others should not.