Plugins You can find out about all the publicly available Grails plugins.

Shiro Openid Plugin

  • Tags: openid
  • Latest: 0.7
  • Last Updated: 19 September 2012
  • Grails version: 2.0 > *
0 vote
compile "org.grails.plugins:shiro-openid:0.7"
Custom repositories:
mavenRepo ""

 Documentation  Source  Issues


Add OpenID authentication to the Shiro plugin with a set of installable Shiro domain class and openid4java view templates.


grails install-plugin shiro-openid


Integrate Grails project with libraries Shiro, openid4java and login page openid-selector as OpenID consumer.


put the following maven repositories and plugins into "grails-app/conf/BuildConfig.groovy"
repositories {
        inherits true // Whether to inherit repository definitions from plugins

grailsPlugins() grailsHome() grailsCentral()

mavenLocal() mavenCentral() mavenRepo "" } plugins { compile ":jquery-mobile:" compile ":shiro-openid:0.6" .... }

Run the script to copy the following content to project root for customization, if required.

  • Domain: User.groovy, Role.groovy under domain/net/security
  • Controller: AuthController.groovy, RoleController.groovy, UserController.groovy under controller/net/security
  • Views: login.gsp under views/auth
  • Filter: SecurityFilters.groovy under conf/net/security
  • Javascript: openid-en.js, open-jquery.js under web-app/js
  • Image: image.small and image.large under web-app
grails customize-openid

Update grails-app/conf/Config.groovy

  • Set grails.serverURL = "" for OpenID Server redirecting user browser to "returnURL" composed with the pre-defined grails.serverURL.
  • Set proxy setting on grails-app/conf/Config.groovy, if proxy connection from web application server to authentication server is required.
http {
  proxyHost = ''
  proxyPort = 8080

Customize "grails-app/conf/net/security/SecurityFilter.groovy", if required.

As domain records User.guestUser, Role.adminRole, Role.authRole and Role.publicRole are created by default, the following default filters try to implement logic to check guest access (those users not yet authenticated) against the authorization tables user_roles, user_permissions, role_permissions.
  • Role.adminRole is the role for assigned users with full access to all domain, action, and id
  • Role.authRole is the role for all real users except User.guestUser
  • Role.publicRole is the role for all users including User.guestUser
  • 1st filter is to allow access to auth controller
  • 2nd filter is to control access of other controllers by checking guest access first and then current login user access.
import org.apache.shiro.SecurityUtils
import org.apache.shiro.authc.UsernamePasswordToken

class SecurityFilters { /* * check if guest permission is granted */ def guestControl(String permission) { def subject = SecurityUtils.subject if (subject.isAuthenticated()) return false

subject.login(new UsernamePasswordToken(User.guestUser.username, User.defaultPass)) def ret = subject?.isPermitted(permission) subject.logout() return ret }

def filters = { allow(controller: 'auth') { before = { true } }

other(controllerExclude: 'auth') { before = { // Ignore direct views (e.g. the default main index page). if (!controllerName) return true

// check if guest access (guest permission to domain:action:id) is granted // otherwise force user login and check if login user granted with appropriate permission String permission = "${controllerName}:${actionName}:${}" if (guestControl(permission)) { return true } else { accessControl { def ret = SecurityUtils.subject?.isPermitted(permission) return ret } } } } } }

Assign user to admin role with access right for all domains and actions

Login the application via your account provider to add your user record first and then run the following sql to grant the admin right to the account you attempted to login before. Then, visit http://localhost:8080/user or http://localhost:8080/role to define access right for application defined domain, action, or id in format "domain:action:id". Please see shiro permission page for details.
insert into user_roles (role_id, user_id) 
select, from role, user 
where = 'admin' 
and user.username = 'admin username';

Enable log4j for openid4java

Enable log4j to show the debug level of log about openid4java by entering the following config into grails-app/conf/Config.groovy, if required.
log4j = {
	debug 'org.openid4java'

if required. ">

Add Java VM argument with truststore containing CA Certificate for OpenID server, if required.

grails${userHome}/Documents/javaTruststore.jks run-app

Demo site

Click here