Spring Security Plugin

(25)

Author(s):	Tsuyoshi Yamamoto
Current Release:	0.5.2
Grails Version:	?
Tags	security

Fisheye

Docs

Edit Plugin

Installation
Description
Faq
Screenshots

Spring Security Plugin

Integrates Spring Security (formerly known as Acegi Security) into your Grails applications.

Implementation Overview

Downloading and Installation

Upgrading from previous versions

Customizing with SecurityConfig

Custom UserDetailsService

Ajax Authentication

Artifacts

Service Method Security

Spring Security Events

Authors

Tsuyoshi Yamamoto
Haotian Sun
Burt Beckwith
Stephan M. February

Spring Security FAQ

I keep getting a "Sorry, you're not authorized to view this page." and I have checked over everything from the tutorial, why?

Check to make sure your role's authority field begins with "ROLE_".

Why does a User have to be associated with a Role just to log in?

First Read

To be honest, I'm not sure why there's a rule that a user has to have at least one role. You're right that 'regular' users who can't really do anything don't need one, but admins would. When I implemented security in a large app recently I cheated and used subclasses, where admins and users extended a common base class, and admins had regular mapped roles but the user class had a hard-coded getRoles() method that returned a singleton Set containing ROLE_USER.

The standard implementation of the user lookup is org.springframework.security.userdetails.jdbc.JdbcDaoImpl, and it enforces the rule, and I believe that the plugin's implementation was coded to use the same logic. The source for JdbcDaoImpl is here: http://static.springsource.org/spring-security/site/xref/org/springframework/security/userdetails/jdbc/JdbcDaoImpl.html

You could try writing your own and returning an empty array - I'm pretty sure the rest of the framework will work fine but I haven't tested it. See this writeup for how to do that: http://www.grails.org/AcegiSecurity+Plugin+-+Custom+UserDetailsService

From: Burt Beckwith

Why does using RequestMap allow delete for unauthorized users?

First Read

The problem with delete is due to the actionSubmit in the generated GSPs. This is a way of putting multiple submit buttons in one form, each sending the action name as a parameter so the controller can figure out which to use. Unfortunately it posts to the 'index' action, so URL-based security doesn't work for this case. There are two options - rework the two buttons to be regular submit buttons each in its own <g:form> with 'action' set to the real action being used, or use annotations. The annotation mechanism looks at URL mappings and is aware of the controller and action, not just the URL.

From: Burt Beckwith

Why basic authentication (browser based auth.form) does not work with Acegi 0.5.2 even basicProcessingFilter is true?

John Wey descripes on his blog (http://johnnywey.wordpress.com/2009/10/29/grails-acegi-plugin-and-securing-multiple-resources-using-basic-authentication/) , that following code must added into resources.groovy:

beans = { authenticationEntryPoint(org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint) { realmName = 'Grails Realm' } }

before it works (on Grails 1.2).

(Beside his has blog is showing how to code both form and basic based authentication is working at the same time).

Tuomas