Grails: How To Secure Your Application Using Spring Security Core
Any web-based application must have a mechanism for authenticating users and authorising them to do their defined activities in the system. One can go for the traditional approach of doing it with a login form; it works for the start. But on today's Internet, a classic pair of username and password is not always available as many people prefer to use a single OpenID, Twitter or Facebook account to access their data across different web sites. Also in corporate environments usually authentication and authorisation is done against an LDAP database.
This is where Spring Security collection comes to play by allowing you to connect to a wide range of data sources and acquire access information from them instead of strong them yourself.
At the heart of Spring Security lies Spring Security Core and as usual there's a Grails plugin for that! Let's see how we can use it.
NOTE: This tutorial has been updated to work with Grails 2.3.0 and SpringSecuritCore 184.108.40.206. All thanks to readers' feedbacks.
Create the Project
Before starting off, obviously, we have to create a new experimental project. We'll call it
secureapp. Run grails create-app secureapp to create it.
Configure Spring Security Core
First of all, we have to install Spring Security Core plugin into our project. Edit secureapp/grails-app/conf/BuildConfig.groovy and modify the
plugins section as below:
Then run (optionally grails clean) grails compile while in project's directory to have the plugin installed.
The next step is to have Spring Security Core create the required models and controllers for us. Drop into Grails shell (just type grails in project's directory) and run
s2-quickstart to get it done.
The script created 3 domain classes in domain/com/bahmanm/secureapp/:
SecAppRole which obvioulsy stand for user and role entities respectively, and
SecAppUserSecAppRole which is the many-to-many relationship between them --It's been implemented like this instead of GORM's standard many-to-many feature for performance reasons. Also in controllers/ it created
LogoutController which along with views/login/auth.gsp and views/login/denied.gsp form our project's login/logout pages.
Now before moving any further, we should first take care of some funny behaviour (bug?). Open conf/Config.groovy. At the end of file you see three lines which Spring Security configurations:
Now for some reason -unknown to me- if you leave those lines at the end, Grails will keep popping up
500 Internal Server Error - The specified user domain class 'Person' is not a domain class into your face! The solution is simple: move those lines above Log4j configuration lines so that the configuration file looks like below (pay attention to lines 12-15):
At this step, Spring Security Core is configured properly, just one minor point: since we're using in-memory database right now we have to create the users/roles each time we run the application (this is not an issue if you use a persistent database like PostgreSQL). Edit conf/BootStrap.groovy to tell Grails about our sample users/roles.
Something to "Secure"
Now let's create a controller and secure it using the foundations we just laid: grails create-controller com.bahmanm.secureapp.SensitiveContentController. Edit the file and make it render something very trivial for now:
Now if you run the application (grails run-app) and browse to http://localhost:8080/secureapp/sensitiveContent/index you will be redirected to login page (username and password both are "admin").
Following a few simple steps mentioned in this article, you can secure your Grails application with battle-hardened and proven Spring Security Core.
Spring Security Core plugin has a very comprehensive set of documentation which proved to be very handy to me.
Image source: elderscrolls.wikia.com