Last updated by burtbeckwith 5 years ago

Person

A 'User' class to represent a user in the application. This class can be called whatever you want, and can be an existing domain class as long as required security attributes are added.

If you want to use an existing domain class, it just has to have properties for username, password, and enabled. As with the name of the class, the names of the properties can be whatever you want - they're specified in SecurityConfig.groovy.

The class also must have a many-to-many relationship with your Role class.

Authority

A 'Role' class to represent a role/permission in the application, used to restrict urls to users who have been assigned the required access rights.

If you want to use an existing domain class, it just has to have properties for name and description. As with the name of the class, the names of the properties can be whatever you want - they're specified in SecurityConfig.groovy.

The class also must have a many-to-many relationship with your User class.

Requestmap

Optionally used to store the filterInvocationInterceptor's objectDefinitionSource entries in the database instead of defining them statically in SecurityConfig. Typically in Spring Security you specify which roles are applied to which urls in a text block similar to this:

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS,ROLE_USER
/hello.htm=ROLE_ANONYMOUS,ROLE_USER
/logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
/login.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
You can use this approach using the Spring Security plugin - the 'requestMapString' attribute in SecurityConfig.groovy contains this information.

An alternate approach uses the Requestmap domain class, which allows you to store these rules in the database. This has the advantage of being configurable at runtime; you can add, remove and edit rules without restarting your application.

This flexibility comes with a cost however - each page request triggers a database query to determine if the page is secured and which roles (if any) apply. Using the traditional static string approach doesn't have this cost - the rules are kept in-memory.

You can create map entries at runtime using the Requestmap CRUD pages, and also create initial map entries programmatically at application start in Bootstrap.groovy, e.g.:

new Requestmap(url:"/**",configAttribute:"IS_AUTHENTICATED_ANONYMOUSLY").save()
new Requestmap(url:"/login/**",configAttribute:"IS_AUTHENTICATED_ANONYMOUSLY").save()
new Requestmap(url:"/book/**",configAttribute:"IS_AUTHENTICATED_REMEMBERED").save()
new Requestmap(url:"/book/create/**",configAttribute:"ROLE_SUPERVISOR,ROLE_ADMIN").save()
The 'configAttribute' values are Role name(s) or Authenticated Voter values:
  • IS_AUTHENTICATED_FULLY - not remember-me nor anonymously authenticated
  • IS_AUTHENTICATED_REMEMBERED - remember-me or fully authenticated
  • IS_AUTHENTICATED_ANONYMOUSLY - remember-me, anonymously, OR fully authenticated