Security

The GrailsDataTables plugin provides a convenient way of displaying data from your domain objects in a table. If you use either of the options that allow the table to obtain data from the server via AJAX, namely serverSide or serverDataLoad, the table will do just that; it will make a request or requests to the server in order to obtain the data from the domain objects you have specified within the dt:datatable tag in your GSP. The plugin includes a controller that serves table data in response to such requests.

Is it possible for the plugin controller to serve data beyond what is specified in the GSP?

No. The plugin stores the details of the table in the session using the table name as the key. This table definition is used to build a Hibernate query in order to query the database. Therefore, the only data that the controller will serve is what has been specified in the table definition (via the dt:datatable and dt:column tags). Secondly, the table definition is only available to the session owner. This means that it is not possible for a client to obtain data for a table that was defined in another session.

How can I secure parts of a table using Spring Security Core?

The same way as you would secure any other part of your GSP. The following example shows how you can use the Spring Security Core plugin to restrict access to a column in your table.

<dt:datatable name="MyTable" domainClass="this.is.my.DomainClass" serverDataLoad="true">
    <dt:column name="myFirstProperty"/>
    <sec:ifAnyGranted roles='SPECIAL_ROLE'>
        <dt:column name="mySecondProperty"/>
    </sec:ifAnyGranted>
</dt:datatable>

Back to Home.