Basic Security Plugin

  • Tags: security, scaffolding
  • Latest: 1.0
  • Last Updated: 21 June 2010
  • Grails version: 1.1 > *
  • Authors: Niels
2 votes
Dependency:
compile ":gsec:1.0"

 Documentation

Summary

Installation

You can install the plugin via
grails install-plugin gsec

After that it is recommended to call

grails install-admin-guis
Then you get a controller for User, Role, Permission.

and

grails install-gsec-templates
to get a customized scaffolding.

and

grails install-mail-templates
to get a the mail-templates which are needed for registration and reset-password.

Description

Introduction

This plugin realizes a security solution by using only standard grails techniques. That means that no third-party security solution like jsecurity, spring-security or shiro are used. You benefit from the advantage that you will be able to understand the code in less than an hour. But there is also a downside. The basic security plugin is not so feature rich as the other plugins, which makes you exclusively capable of authenticating against the given database tables in order to access users, roles and permissions. In my point of view the basic security plugin is a good choice to get quickly a good security solution. If you need more backends or detailed customization I would recommend checking the other security plugins.

Hint: This plugin is still in used, but not under active development. I have no experience with grails > 1.2.

Features

  • RememberMe-Functionality
  • Each controller and action needs authentication (except Public-Controller)
  • Per default every thing is forbidden.
  • The permissions are grouped by roles.
  • Possibility to change the configuration at runtime.
  • Possibility to secure a field of a domain class.
  • Special scaffolding which considered the security, i.e. links where you only get the information access denied won't be shown.
  • Change password
  • Self-registration
  • Reset Password, if the user has forgotten it.

Installation and Configuration

Installation see Installation-Tab. Configuration :
  • config.gsec.isEnabled - in development you can set it to false in all other environment it is non relevant. Default: true .
  • config.gsec.nullMustBeAuthenticated - true if the user must be authenticated if the controller name is null. Default: false .
  • config.gsec.publicControllers - list of controller names without any security-checks. Default [ "public","auth" ]
  • config.gsec.maxLoginFailed - nr of failed logins before a user is disabled. Default: 10
  • config.gsec.rememberMeCryptKey - String which is used as key for the rememberMe encryption.
  • gsec.loginView - defines the gsp for login, which has the model:[ username, rememberMe, token ] furthermore you must send back the parameter password. The button should be @<gti:actionSubmit class="signIn" action="signIn" messageCode="login.login" />@
Configuration-Options for registration:
  • gsec.allowSelfRegistration - true if the user can register himself. Default: false You must install the mail-templates for this feature.
  • gsec.allowResetPassword - true if the user can reset his password. Default: false You must install the mail-templates for this feature.
  • gsec.expireTime - time how long the registration is stored without confirmation in minutes. Default: 24h
  • gsec.allowedMailadresses - List (separates by ',', ';' or <spaces>) of mail-adresses defined via regular-expression, which are allowed for registration. Allowed mail-adresses can't be forbidden. Default: Empty-List
  • gsec.forbiddenMailadresses - List (separates by ',', ';' or <spaces>) of mail-adresses defined via regular-expression, which are forbidden for registration. Default: Empty-List
  • gsec.defaultRole - name of the defaultrole each user get. Default: null
  • gsec.replyAdress - Email-Adress for confirmation-reply. Please configure the mail-plugin too.
  • gsec.bccAdress - Email-Adress for bcc of all registration. Please configure the mail-plugin too.
  • gsec.htmlMail - Send HTML-Mail or not default: false. Please configure the mail-plugin too.
Furthermore you can define permissions for every attribute of a domain-class: Example for domain class Foo.
static needsPermission = ['user':{session, instance -> return GsecUser.get(session.gsecUserid)}]
In this case you need for read-access the permission Foo.user read for write-access you need Foo.user write. The closure defines the default value, so you get the domain-instance and the session. With this information you should be able to define the default value.

To understand the decision of permission set

trace 'grails.app.service.de.ppi.grails.gsec'
trace 'grails.app.filters.SecurityFilters'
Message-properties can be adjusted at grails-app/i18n/gsec-messages.properties .

Define the security

All actions in a controller are forbidden by default. So you must define the permission and insert them into the table GsecPermission. You can do this in PermissionRolesAndUserBootStrap . You can generate all permission based on a domain-class with
grails generate-permissions
. The permission should be grouped to roles and the roles will be given to users.
For performance reasons it is strongly recommend giving a user only a role and not directly a permission.
If you want administrate the permissions user and roles via a gui you can use
grails install-admin-guis
.

Format of permissions

All permissions based on java.security.Permission can be used. But normally you use GsecBasicPermission. Therefore you must define one target (or * as wildcard) and a list (supported delimiters are "," ";" and "whitespace") of actions. A GsecBasicPermions perm implies another GsecBasisPermission other, if targets are equal (or perm.target is a wildcard) and the perm.actions contains all actions from other permission.

Adjust the main.gsp

The AuthController is part of the plugin. The login.gsp refernced the main.gsp. Therefore you must add base="${resource(dir:'js')}/" to the javascript tag.

About the scaffolding

The scaffolding is based on the i18n-templates and with these you can use all features of the security. Furthermore a taglib is used which gives every element an htmlId for testing. You can install it with
grails install-gsec-templates

Example Config

gsec {
    //Default-Values. No one must be set.
    isEnabled = true    //Only in development you can set it to false in all other environment it is non relevant 
    nullMustBeAuthenticated = false    //true if the user must be authenticated if the controllername is null 
    publicControllers = ['public','auth','registration', 'passwordManagement'] //list of controllernames without any security-checks
    maxLoginFailed = 10 //nr of failed logins before a user is disabled.
    //gsec.rememberMeCryptKey='No Public Default' //String which is used as key for the rememberMe encryption.
    gsec.loginView = 'login' //defines the gsp for login, which has the model:[username, rememberMe, token]
                             //The gsp must be in the folder views/auth
                             //furthermore you must send back the parameter password. The button should be
                             //<gti:actionSubmit class="signIn" action="signIn" messageCode="login.login" />
    //Configuration-Options for registration and resetPassword:
    allowSelfRegistration = false //true if the user can register himself.
    allowResetPassword = false //true if the user can reset his password.
    gsec.expireTime = 24 * 60 // time how long the registration is stored without confirmation in minutes. Default: 24h

gsec.allowedMailadresses = ''//List (separates by ',', ';' or <spaces>) of mail-adresses defined via regular-expression, //which are allowed for registration. Allowed mail-adresses can't be forbidden. Default: Empty-List gsec.forbiddenMailadresses = '' //List (separates by ',', ';' or <spaces>) of mail-adresses defined via regular-expression, //which are forbidden for registration. Default: Empty-List gsec.defaultRole=null //name of the defaultrole each user get.

gsec.replyAdress=null //Email-Adress for confirmation-reply. gsec.bccAdress=null //Email-Adress for bcc of all registrations and resetPassword. htmlMail = false //Send HTML-Mail or not. Notice true implied http://jira.codehaus.org/browse/GRAILSPLUGINS-1885

}

grails.mail.host = "localhost" grails.mail.port = 25 grails.mail.default.from="mailmaster@localhost"

I hope this is still enough documentation otherwise send a mail to opensource21 at gmail.com

History

  • 0.5 First public version
  • 0.6 Fixing some issues and releasing change-password
  • 0.8 Reset Password and Self-Registration
  • 0.9 Small Improvements: Equals-hashcode implemented, Registration, Consistent RedirectAfterPost, Fix One-To-Many-Bug in Scaffolding, Using Bootstrap to create users (Thanks to Stefan Undorf)
  • 1.0 Bugfix in cleanup-code for an non approved registration.