Last updated by pledbrook 4 years ago

Version 0.4

  • Applications now start up without error, even if there are no realms (GRAILSPLUGINS-1169).
  • Support for WildcardPermission is now built in.
  • The permission() method in the access control DSL can take a string representing a wildcard permission.
  • Permission GSP tags now accept a string for the permission, not just a Permission instance (GRAILSPLUGINS-780).
  • GSP tag errors now show the correct tag name (GRAILSPLUGINS-774).

Version 0.3

  • New version of JSecurity library that fixes problems with null subjects.
  • Quartz jar removed from plugin. If you want to use quartz with JSecurity's session management, install the quartz plugin.
  • Supports non-anonymous search for LDAP lookup in the template LDAP realm. Use these config options to specify the user:
    • - LDAP username to use when performing a lookup
    • - LDAP password for same
  • The template LDAP realm also recognises several other options:
    • ldap.skip.authentication - Skips LDAP authentication, i.e. any user is treated as authenticated (never use in production!)
    • ldap.skip.credentialsCheck - Skips the password check, i.e. the LDAP lookup must work, but otherwise the user is authenticated regardless of the password entered.
    • ldap.allowEmptyPasswords - Determines whether the user can leave the password empty.
  • You can now specify a list of LDAP server urls. The template realm will use the first one that it can connect to.
  • Several new tags related to "remember me":
    • <jsec:notUser> - Writes out the content only if the user is a guest, i.e. neither remembered nor authenticated.
    • <jsec:remembered> - Writes out the content only if the user is remembered (but not authenticated).
    • <jsec:notRemembered> - Writes out the content only if the user is a guest or is authenticated.
  • More tags related to roles:
    • <jsec:hasAllRoles> - Writes out the content if the user has all the given roles (specified in the 'in' attribute as a list).
    • <jsec:lacksAnyRole> - Writes out the content if the user has none of the given roles.
    • <jsec:hasAnyRole> - Writes out the content if the user has at least one of the given roles.
    • <jsec:lacksAllRoles> - Writes out the content if the user has none of the given roles.

Version 0.2.1

  • Redirects to the login page now remember the query string on the target URL.
  • A bug with the "remember me" feature has been fixed.
  • The scripts no longer clash with those of the GWT plugin.
  • Removed Commons Codec library - use the JSecurity hash classes instead, such as Sha256Hash .
  • Added an 'in' attribute to <hasRole/> and <lacksRole/> tags. This can be used in place of the 'name' attribute and must be a list of role names.
  • A new config option has been added: jsecurity.filter.config . This can be set to a string that takes the form of a JSecurity filter configuration. Details of the configuration format can be found in the javadoc for JSecurityFilter.

Version 0.2

When upgrading a project that uses the 0.1.x version of the plugin, the access control will not initially work. It is recommended that you move to the new filter-based mechanism as soon as possible, but you can still use the old controller-based access control definitions by setting this option in Config :
jsecurity.legacy.filter.enabled = true
Even if you set this option, your controllers no longer need to extend JsecAuthBase (and in fact they should not do so).

Second, if you use the standard DB realm, you will have to recreate it because of a breaking change in the authentication code. In addition, if you use CredentialsMatcher s in your own realm, you will need to make changes because the corresponding API has changed.

  • AuthController and its views must now be installed via a script - this makes overriding it easier.
  • Access control can now be declared in Grails filters:
class SecurityFilters {
  def filters = {
    security(controller: '*', action: '*') {
      before = {
        accessControl {
          role('Administrator') || role('Super User')
  • Customise the prefix of the DB realm classes by passing a --prefix=... option to the script (only available with Grails 1.0.3+).
  • Customise the interceptor behaviour by implementing onNotAuthenticated() and onUnauthorized() methods in your filters class. Default behaviour remains as before (redirect to login page for an unauthenticated user, redirect to unauthorized page for unauthorized access).
  • Remember me support added. Both the provided login page and auth controller include the option by default.
  • New <jsec:principal/> tag for writing the principal, e.g. the username, to a page.
  • Failed login message is now internationalized - a default message for code login.failed is installed in a file.
  • Basic LDAP realm provided.
  • You can now include standard JSecurity realms by simply defining them in resources.xml or resources.groovy . All beans that implement the Realm interface will be added to the security manager and will be used for authentication and authorization.
  • Specify the authentication strategy to use when you have more than one realm: either "all must succeed" or "at least one must succeed". The default is the former, "all must succeed". To override, add this to your Config :
jsecurity.authentication.strategy = new org.jsecurity.authc.pam.AtLeastOneSuccessfulModularAuthenticationStrategy()
  • Override the default session type ('http') with the jsecurity.session.mode configuration setting. This can take the values 'http' or 'jsecurity'. The latter allows you to implement single-sign-on.