In this talk I will cover how to create a REST API using Grails 2.3 to support single-page applications, exploring all the possible alternatives. Code is available at https://github.com/alvarosanchez/restful-grails-springsecurity-greach2014 I will also explain how to integrate Spring Security using the spring-security-rest plugin I recently created, to implement a stateless, token-based, RESTful authentication.

1. Creating RESTful API’s
with Grails and Spring
Security
Álvaro Sánchez-Mariscal
Web Architect – odobo
!
@alvaro_sanchez

2. About me
• Passionate software developer.
• Founded Salenda in 2005.
• Co-founded Escuela de Groovy in 2009.
• Groovy/Grails lover since 2007.
• Working now at Odobo as Web Architect.

3. • HTML5 games platform for:
• Game developers.
• Casinos.
• Check out https://play.odobo.com and try
for free!

4. Different approaches
• Using just @Resource.
• With uri attribute.
• With explicit UrlMappings.

5. Demo
step1 … step2

6. Different approaches
• Creating explicitly a controller and
extending RestfulController.
• Defining just the constructor.
• Implementing actions based on the URL
mappings report.

7. Demo
step3 … step4

8. Different approaches
• Scaffolding (but don’t tell your mother).

9. Customizing response
• Customize default renderers.
• Register custom marshallers.
• Use Hypermedia (and fasten your seat
belts!).
• Use Dan Wood’s rest-renderers plugin.

10. Demo
step5 … step7

11. Adding Spring Security
Motivation: we need to break down the
traditional, monolithic Grails applications, in
2 different apps:
1. A pure HTML5/Javascript frontend.
2. A mere RESTful Grails backend.

12. Adding Spring Security
Issue: The existing Spring Security plugins
would not work with a RESTful, browser-
based client.

13. REST is much
more than just
returning JSON.

14. RESTful is about*
Client / server.
Stateless.
Cacheable.
Layered.
* Source: Wikipedia.

15. Meet Spring Security REST
A stateless, token-based
authentication for your
RESTful API’s

16. Authentication

17. Demo

18. Invoking a protected
resource

19. Demo

20. Authentication Endpoint
• Uses the default
authenticationManager bean,
which in turn uses all the registered
authentication providers.
• Receives username and password, and
generates a customizable JSON
response.

21. Authentication Endpoint
• Credentials can be extracted from:
1. Request parameters.
2. A JSON payload.
3. Any custom implementation

22. Token Generation
• 2 strategies out-of-the-box:
1. Using java.security.SecureRandom
(default).
2. Using java.util.UUID.
• A custom implementation can be
plugged.

23. Token Storage
• In Memcached (default).
• Using GORM.
• Write your own.

24. Token Storage

25. Token Validation
• If the token header (X-Auth-Token by
default) is present, the request will be
validated.
• Otherwise, the plugin won’t participate in
the filter chain.

26. Token Validation
• If the passed token exists on the token
storage, the principal will be stored on
the security context.
• It can be retrieved using
springSecurityService.principal

27. CORS support
• Grails doesn’t support CORS (vote for
GRAILS-10914).
• This plugin comes prepackaged with cors
plugin.

28. Demo

29. OAuth support

30. OAuth support

31. Demo

32. DevQA: make
your testers
happier with
Groovy, Spock
and Geb
Tomorrow,
17:15

33. Thanks!
Álvaro Sánchez-Mariscal
Web Architect – odobooo
!
@alvaro_sanchez
alvarosanchez