The document discusses creating RESTful APIs using Grails and Spring Security, focusing on various approaches such as using @resource, custom controllers, and scaffolding. It highlights the need for a stateless, token-based authentication system for RESTful APIs, explaining the authentication process, token generation and storage, and CORS support. Additionally, it touches on OAuth support and aims to modernize traditional Grails applications into separate frontend and backend services.

1. Creating RESTful API’s
with Grails and Spring
Security
Álvaro Sánchez-Mariscal
Web Architect – odobo
!
@alvaro_sanchez

2. About me
• Passionate software developer.
• Founded Salenda in 2005.
• Co-founded Escuela de Groovy in 2009.
• Groovy/Grails lover since 2007.
• Working now at Odobo as Web Architect.

3. • HTML5 games platform for:
• Game developers.
• Casinos.
• Check out https://play.odobo.com and try
for free!

4. Different approaches
• Using just @Resource.
• With uri attribute.
• With explicit UrlMappings.

5. Demo
step1 … step2

6. Different approaches
• Creating explicitly a controller and
extending RestfulController.
• Defining just the constructor.
• Implementing actions based on the URL
mappings report.

7. Demo
step3 … step4

8. Different approaches
• Scaffolding (but don’t tell your mother).

9. Customizing response
• Customize default renderers.
• Register custom marshallers.
• Use Hypermedia (and fasten your seat
belts!).
• Use Dan Wood’s rest-renderers plugin.

10. Demo
step5 … step7

11. Adding Spring Security
Motivation: we need to break down the
traditional, monolithic Grails applications, in
2 different apps:
1. A pure HTML5/Javascript frontend.
2. A mere RESTful Grails backend.

12. Adding Spring Security
Issue: The existing Spring Security plugins
would not work with a RESTful, browser-
based client.

13. REST is much
more than just
returning JSON.

14. RESTful is about*
Client / server.
Stateless.
Cacheable.
Layered.
* Source: Wikipedia.

15. Meet Spring Security REST
A stateless, token-based
authentication for your
RESTful API’s

16. Authentication

17. Demo

18. Invoking a protected
resource

19. Demo

20. Authentication Endpoint
• Uses the default
authenticationManager bean,
which in turn uses all the registered
authentication providers.
• Receives username and password, and
generates a customizable JSON
response.

21. Authentication Endpoint
• Credentials can be extracted from:
1. Request parameters.
2. A JSON payload.
3. Any custom implementation

22. Token Generation
• 2 strategies out-of-the-box:
1. Using java.security.SecureRandom
(default).
2. Using java.util.UUID.
• A custom implementation can be
plugged.

23. Token Storage
• In Memcached (default).
• Using GORM.
• Write your own.

24. Token Storage

25. Token Validation
• If the token header (X-Auth-Token by
default) is present, the request will be
validated.
• Otherwise, the plugin won’t participate in
the filter chain.

26. Token Validation
• If the passed token exists on the token
storage, the principal will be stored on
the security context.
• It can be retrieved using
springSecurityService.principal

27. CORS support
• Grails doesn’t support CORS (vote for
GRAILS-10914).
• This plugin comes prepackaged with cors
plugin.

28. Demo

29. OAuth support

30. OAuth support

31. Demo

32. DevQA: make
your testers
happier with
Groovy, Spock
and Geb
Tomorrow,
17:15

33. Thanks!
Álvaro Sánchez-Mariscal
Web Architect – odobooo
!
@alvaro_sanchez
alvarosanchez