Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Creating RESTful API’s with Grails and Spring Security


Published on

In this talk I will cover how to create a REST API using Grails 2.3 to support single-page applications, exploring all the possible alternatives.

Code is available at

I will also explain how to integrate Spring Security using the spring-security-rest plugin I recently created, to implement a stateless, token-based, RESTful authentication.

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi Mr Alvaro, 1. when i use [Authorize] to implement for the web api controller, I need implement the OnAuthorization() method that veriy token with user name and password. 2. How do I verify user roles in Authorize[Roles='Manager'] in JWT structure? 3. How do I insert role to my JSON token? 4. Can I add any atrribute or property to the Json Token? thanks
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi! You have the example project in some place? Thank you!
    Are you sure you want to  Yes  No
    Your message goes here
  • Yes, the video is available at
    Are you sure you want to  Yes  No
    Your message goes here
  • This looks really interesting - exactly what I was just researching. Is there a full presentation recording that could be referenced?
    Are you sure you want to  Yes  No
    Your message goes here

Creating RESTful API’s with Grails and Spring Security

  1. 1. Creating RESTful API’s with Grails and Spring Security Álvaro Sánchez-Mariscal Web Architect – odobo ! @alvaro_sanchez
  2. 2. About me • Passionate software developer. • Founded Salenda in 2005. • Co-founded Escuela de Groovy in 2009. • Groovy/Grails lover since 2007. • Working now at Odobo as Web Architect.
  3. 3. • HTML5 games platform for: • Game developers. • Casinos. • Check out and try for free!
  4. 4. Different approaches • Using just @Resource. • With uri attribute. • With explicit UrlMappings.
  5. 5. Demo step1 … step2
  6. 6. Different approaches • Creating explicitly a controller and extending RestfulController. • Defining just the constructor. • Implementing actions based on the URL mappings report.
  7. 7. Demo step3 … step4
  8. 8. Different approaches • Scaffolding (but don’t tell your mother).
  9. 9. Customizing response • Customize default renderers. • Register custom marshallers. • Use Hypermedia (and fasten your seat belts!). • Use Dan Wood’s rest-renderers plugin.
  10. 10. Demo step5 … step7
  11. 11. Adding Spring Security Motivation: we need to break down the traditional, monolithic Grails applications, in 2 different apps: 1. A pure HTML5/Javascript frontend. 2. A mere RESTful Grails backend.
  12. 12. Adding Spring Security Issue: The existing Spring Security plugins would not work with a RESTful, browser- based client.
  13. 13. REST is much more than just returning JSON.
  14. 14. RESTful is about* Client / server. Stateless. Cacheable. Layered. * Source: Wikipedia.
  15. 15. Meet Spring Security REST A stateless, token-based authentication for your RESTful API’s
  16. 16. Authentication
  17. 17. Demo
  18. 18. Invoking a protected resource
  19. 19. Demo
  20. 20. Authentication Endpoint • Uses the default authenticationManager bean, which in turn uses all the registered authentication providers. • Receives username and password, and generates a customizable JSON response.
  21. 21. Authentication Endpoint • Credentials can be extracted from: 1. Request parameters. 2. A JSON payload. 3. Any custom implementation
  22. 22. Token Generation • 2 strategies out-of-the-box: 1. Using (default). 2. Using java.util.UUID. • A custom implementation can be plugged.
  23. 23. Token Storage • In Memcached (default). • Using GORM. • Write your own.
  24. 24. Token Storage
  25. 25. Token Validation • If the token header (X-Auth-Token by default) is present, the request will be validated. • Otherwise, the plugin won’t participate in the filter chain.
  26. 26. Token Validation • If the passed token exists on the token storage, the principal will be stored on the security context. • It can be retrieved using springSecurityService.principal
  27. 27. CORS support • Grails doesn’t support CORS (vote for GRAILS-10914). • This plugin comes prepackaged with cors plugin.
  28. 28. Demo
  29. 29. OAuth support
  30. 30. OAuth support
  31. 31. Demo
  32. 32. DevQA: make your testers happier with Groovy, Spock and Geb Tomorrow, 17:15
  33. 33. Thanks! Álvaro Sánchez-Mariscal Web Architect – odobooo ! @alvaro_sanchez alvarosanchez