VS
Uploaded byVijay Shukla
PPTX, PDF358 views

Spring security

This document provides an overview of integrating Spring Security into a Grails application. It discusses configuring domain classes like User and Role, securing URL mappings, and using helper classes like the Security TagLib and SpringSecurityService. The plugin simplifies adding authentication and authorization to Grails apps by generating initial classes and configurations and providing tags and services to check authentication status and roles.

Embed presentation

Download to read offline
Spring Security in Grails
Agenda Introduction Domain Classes Request Mapping to Secure URL Helper Classes
Introduction It simplifies the integration of spring security into grails. Default values are in the plugin’s grails-app/conf/DefaultSecurityConfig.groovy. We add application specific values in grails-app/conf/Config.groovy. The two configurations will be merged with application values overriding the default. To use spring security simply integrate its plugin as:- 1. plugins{ compile ‘:spring-security-core:2.0-RC4’ }
2. grails compile 3. grails s2-quickstart com User Role It will create two controller Name (LoginController and LogoutController), one gsp page (auth.gsp) and three domain (User, Role and UserRole). Spring Security is more aggressively restricted, so you can do some basic changes., It is Logout POST only, to allow GET access grails.plugin.springsecurity.logout.postOnly=false There are other more setting that you can change.
Domain Classes User Role UserRole Group UserGroup GroupRole Requestmap Class
To use standard user lookup you will need minimum an User and a Role domain. To manage many to many relationship between User and Role you need another domain UserRole. If you want to store URL<->Role mapping then you need Requestmap domain. If you want to user User/Group lookup then need Group domain. To manage many to many relationships between User/Group and Group/Role you need UserGroup and GroupRole respectively.
User Domain Spring-security uses and authentication object to determine whether the current user has right to perform the secured action, such as accessing the URL and manipulating the other domain object, accessing the secured method and so on. The object will be created during the login. By default plugin uses the grails User domain to manage this data. (username, password, enabled and others. In addition you should define authorities to retrieve the role of the user. getAuthorities() is analogous to define static hasMany=[roles:Role]
Role Domain:- Spring security also requires an Role class to define the authority to the User. UserRole:- The mapping relationship between ‘User' and ‘Role' is a many-to-many. Users have multiple roles, and roles are shared by multiple users. This approach can be problematic in Grails, because a popular role, for example, ROLE_USER, will be granted to many users in your application. GORM uses collections to manage adding and removing related instances and maps many-to-many relationships bidirectionally. The recommended approach in the plugin is to map a domain class to the join table that manages the many-to-many, and using that to grant and revoke roles to users.
User user=new User(name:”Abc”, email:”abc@nexthoughts.com,password:”123”).save(flush:true) Role adminRole=new Role(authority:”ROLE_ADMIN”).save(flush:true) To add role UserRole.create(user,adminRole) To remove role UserRole.remove(user,adminRole) How to create a user and assign a role to him
RequestMap Configuration to Secure Url Define Secured Annotations Simple Map in Config.groovy RequestMap Instance saved in database Pessimistic Lockdown Some pages in any application is public and some pages are accessible to only authorized person. Pessimistic approach is default and have to configuration options:- rejectIfNoRule fii.rejectPublicInvocations
rejectIfNoRule:- (true):- then any Url that has no request mappings will be denied to all users. fii.rejectPublicInvocations:- (true) Un-mapped Url will trigger IllegalArgumentException and will show error page. fii.rejectPublicInvocations:- (false):- You will see Sorry you are not authorized to view page. If you want the more obvious error page, set fii.rejectPublicInvocations to true and rejectIfNoRule to false to allow that check to occur.
To reject un-mapped URLs with a 403 error code, use these settings grails.plugin.springsecurity.rejectIfNoRule = true grails.plugin.springsecurity.fii.rejectPublicInvocations = false To reject with the error 500 page, grails.plugin.springsecurity.rejectIfNoRule = false grails.plugin.springsecurity.fii.rejectPublicInvocations = true
Defining Secured Annotations package com.mycompany.myapp import grails.plugin.springsecurity.annotation.Secured class SecureAnnotatedController { @Secured(['ROLE_ADMIN']) def index() { render 'you have ROLE_ADMIN' } @Secured(['ROLE_ADMIN', 'ROLE_SUPERUSER']) def adminEither() { render 'you have ROLE_ADMIN or SUPERUSER' } def anybody() { render 'anyone can see this' // assuming you're not using "strict" mode } }
Simple Map in Config.groovy grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap" grails.plugin.springsecurity.interceptUrlMap = [ '/': ['permitAll'], '/index': ['permitAll'], '/index.gsp': ['permitAll'], '/assets/**': ['permitAll'], '/**/js/**': ['permitAll'], '/**/css/**': ['permitAll'], '/**/images/**': ['permitAll'], '/**/favicon.ico': ['permitAll'], '/login/**': ['permitAll'], '/logout/**': ['permitAll'], '/secure/**': ['ROLE_ADMIN'], '/finance/**': ['ROLE_FINANCE', 'isFullyAuthenticated()'], ]
Helper Classes Security TagLib SpringSecurityService SpringSecurityUtils
Security TagLib ifLoggedIn <sec:ifLoggedIn> Welcome Back! </sec:ifLoggedIn> ifNotLoggedIn <sec:ifNotLoggedIn> <g:link controller='login' action='auth'>Login</g:link> </sec:ifNotLoggedIn> ifAllGranted ifAnyGranted ifNotGranted
loggedInUserInfo <sec:loggedInUserInfo field="username"/> username ifSwitched ifNotSwitched access noAccess link
Spring Security Service def springSecurityService getCurrentUser() loadCurrentUser() isLoggedIn() getAuthentication() getPrincipal() encodePassword() updateRole() deleteRole()

More Related Content

PDF
Softlayer_API_openWhisk
byShuichi Yukimoto
 
PDF
Samsung Gear SDK
byRyo Jin
 
PDF
07 02-05
byNimmanon Lasaku
 
PDF
Pundit
byBruce White
 
DOCX
multiple views and routing
byBrajesh Yadav
 
PPTX
Spring Security 3
byJason Ferguson
 
PPTX
Jmh
byNexThoughts Technologies
 
PDF
What's New in spring-security-core 2.0
byBurt Beckwith
 
Softlayer_API_openWhisk
byShuichi Yukimoto
 
Samsung Gear SDK
byRyo Jin
 
07 02-05
byNimmanon Lasaku
 
Pundit
byBruce White
 
multiple views and routing
byBrajesh Yadav
 
Spring Security 3
byJason Ferguson
 
Jmh
byNexThoughts Technologies
 
What's New in spring-security-core 2.0
byBurt Beckwith
 

Similar to Spring security

PDF
Hacking the Grails Spring Security 2.0 Plugin
byBurt Beckwith
 
PDF
Fun With Spring Security
byBurt Beckwith
 
PDF
Hacking the Grails Spring Security Plugins
byGR8Conf
 
PDF
Spring security jwt tutorial toptal
byjbsysatm
 
PPTX
Building Layers of Defense with Spring Security
byJoris Kuipers
 
PDF
J2EE Security with Apache SHIRO
byCygnet Infotech
 
PPTX
Spring Security 5
byJesus Perez Franco
 
PDF
Spring4 security
bySang Shin
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
PDF
Spring security4.x
byZeeshan Khan
 
PPTX
Spring security 3
byIT Weekend
 
ODP
Testing the Grails Spring Security Plugins
byBurt Beckwith
 
PDF
Spring Security
byKnoldus Inc.
 
PPTX
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
PDF
Spring5 hibernate5 security5 lab step by step
byRajiv Gupta
 
PDF
Grails Simple Login
bymoniguna
 
PDF
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
GR8Conf 2011: Grails, how to plug in
byGR8Conf
 
PDF
GR8Conf 2011: GORM Optimization
byGR8Conf
 
Hacking the Grails Spring Security 2.0 Plugin
byBurt Beckwith
 
Fun With Spring Security
byBurt Beckwith
 
Hacking the Grails Spring Security Plugins
byGR8Conf
 
Spring security jwt tutorial toptal
byjbsysatm
 
Building Layers of Defense with Spring Security
byJoris Kuipers
 
J2EE Security with Apache SHIRO
byCygnet Infotech
 
Spring Security 5
byJesus Perez Franco
 
Spring4 security
bySang Shin
 
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
Spring security4.x
byZeeshan Khan
 
Spring security 3
byIT Weekend
 
Testing the Grails Spring Security Plugins
byBurt Beckwith
 
Spring Security
byKnoldus Inc.
 
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
Spring5 hibernate5 security5 lab step by step
byRajiv Gupta
 
Grails Simple Login
bymoniguna
 
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
GR8Conf 2011: Grails, how to plug in
byGR8Conf
 
GR8Conf 2011: GORM Optimization
byGR8Conf
 

More from Vijay Shukla

PDF
Introduction of webpack 4
byVijay Shukla
 
PDF
Preview of Groovy 3
byVijay Shukla
 
PDF
Jython
byVijay Shukla
 
PPTX
Groovy closures
byVijay Shukla
 
PPTX
Groovy
byVijay Shukla
 
PPTX
Grails services
byVijay Shukla
 
PPTX
Grails plugin
byVijay Shukla
 
PPTX
Grails domain
byVijay Shukla
 
PPTX
Grails custom tag lib
byVijay Shukla
 
PPTX
Grails
byVijay Shukla
 
PPTX
Gorm
byVijay Shukla
 
PPTX
Controller
byVijay Shukla
 
PPTX
Config BuildConfig
byVijay Shukla
 
PPTX
Command object
byVijay Shukla
 
PPTX
Boot strap.groovy
byVijay Shukla
 
PPTX
Vertx
byVijay Shukla
 
PPTX
Custom plugin
byVijay Shukla
 
PPTX
REST
byVijay Shukla
 
PPTX
Config/BuildConfig
byVijay Shukla
 
PPTX
GORM
byVijay Shukla
 
Introduction of webpack 4
byVijay Shukla
 
Preview of Groovy 3
byVijay Shukla
 
Jython
byVijay Shukla
 
Groovy closures
byVijay Shukla
 
Groovy
byVijay Shukla
 
Grails services
byVijay Shukla
 
Grails plugin
byVijay Shukla
 
Grails domain
byVijay Shukla
 
Grails custom tag lib
byVijay Shukla
 
Grails
byVijay Shukla
 
Gorm
byVijay Shukla
 
Controller
byVijay Shukla
 
Config BuildConfig
byVijay Shukla
 
Command object
byVijay Shukla
 
Boot strap.groovy
byVijay Shukla
 
Vertx
byVijay Shukla
 
Custom plugin
byVijay Shukla
 
REST
byVijay Shukla
 
Config/BuildConfig
byVijay Shukla
 
GORM
byVijay Shukla
 

Recently uploaded

PDF
our environment ppt made by many people name rarang yadav
byrarang180
 
PDF
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
PDF
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
PDF
Mitr Sarthi: A Smart ERP for Modern Manufacturers
byGamavis Software Solutions
 
PPTX
Architectural Styles in Software Engineering
byM Munim
 
PPTX
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
PDF
From Sound Workflow Nets to LTLf Declarative Specifications
byLucaBarbaro3
 
PDF
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PDF
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
PPTX
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
PDF
Latest Courier Management Software 2026 | Complete Courier & Logistics Solution
byCourier Softwares
 
PPTX
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PDF
Building Strong IT Systems Using the Site Reliability Engineering
byAvekshaa Technologies
 
PDF
Python Core Interview Cheat Sheet for a Senior Interview
byStanislav Lazarenko
 
PPTX
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
PDF
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
PPTX
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
PDF
CatoCoin (CATO) – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
PDF
DSD-INT 2025 iMOD Parallel coupler development plan - Verkaik
byDeltares
 
our environment ppt made by many people name rarang yadav
byrarang180
 
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
Mitr Sarthi: A Smart ERP for Modern Manufacturers
byGamavis Software Solutions
 
Architectural Styles in Software Engineering
byM Munim
 
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
From Sound Workflow Nets to LTLf Declarative Specifications
byLucaBarbaro3
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
Latest Courier Management Software 2026 | Complete Courier & Logistics Solution
byCourier Softwares
 
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
Building Strong IT Systems Using the Site Reliability Engineering
byAvekshaa Technologies
 
Python Core Interview Cheat Sheet for a Senior Interview
byStanislav Lazarenko
 
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
CatoCoin (CATO) – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
DSD-INT 2025 iMOD Parallel coupler development plan - Verkaik
byDeltares
 

Spring security

  • 1.
  • 2.
  • 3.
    Introduction It simplifies theintegration of spring security into grails. Default values are in the plugin’s grails-app/conf/DefaultSecurityConfig.groovy. We add application specific values in grails-app/conf/Config.groovy. The two configurations will be merged with application values overriding the default. To use spring security simply integrate its plugin as:- 1. plugins{ compile ‘:spring-security-core:2.0-RC4’ }
  • 4.
    2. grails compile 3.grails s2-quickstart com User Role It will create two controller Name (LoginController and LogoutController), one gsp page (auth.gsp) and three domain (User, Role and UserRole). Spring Security is more aggressively restricted, so you can do some basic changes., It is Logout POST only, to allow GET access grails.plugin.springsecurity.logout.postOnly=false There are other more setting that you can change.
  • 5.
  • 6.
    To use standarduser lookup you will need minimum an User and a Role domain. To manage many to many relationship between User and Role you need another domain UserRole. If you want to store URL<->Role mapping then you need Requestmap domain. If you want to user User/Group lookup then need Group domain. To manage many to many relationships between User/Group and Group/Role you need UserGroup and GroupRole respectively.
  • 7.
    User Domain Spring-security usesand authentication object to determine whether the current user has right to perform the secured action, such as accessing the URL and manipulating the other domain object, accessing the secured method and so on. The object will be created during the login. By default plugin uses the grails User domain to manage this data. (username, password, enabled and others. In addition you should define authorities to retrieve the role of the user. getAuthorities() is analogous to define static hasMany=[roles:Role]
  • 8.
    Role Domain:- Spring securityalso requires an Role class to define the authority to the User. UserRole:- The mapping relationship between ‘User' and ‘Role' is a many-to-many. Users have multiple roles, and roles are shared by multiple users. This approach can be problematic in Grails, because a popular role, for example, ROLE_USER, will be granted to many users in your application. GORM uses collections to manage adding and removing related instances and maps many-to-many relationships bidirectionally. The recommended approach in the plugin is to map a domain class to the join table that manages the many-to-many, and using that to grant and revoke roles to users.
  • 9.
    User user=new User(name:”Abc”, email:”abc@nexthoughts.com,password:”123”).save(flush:true) RoleadminRole=new Role(authority:”ROLE_ADMIN”).save(flush:true) To add role UserRole.create(user,adminRole) To remove role UserRole.remove(user,adminRole) How to create a user and assign a role to him
  • 10.
    RequestMap Configuration toSecure Url Define Secured Annotations Simple Map in Config.groovy RequestMap Instance saved in database Pessimistic Lockdown Some pages in any application is public and some pages are accessible to only authorized person. Pessimistic approach is default and have to configuration options:- rejectIfNoRule fii.rejectPublicInvocations
  • 11.
    rejectIfNoRule:- (true):- thenany Url that has no request mappings will be denied to all users. fii.rejectPublicInvocations:- (true) Un-mapped Url will trigger IllegalArgumentException and will show error page. fii.rejectPublicInvocations:- (false):- You will see Sorry you are not authorized to view page. If you want the more obvious error page, set fii.rejectPublicInvocations to true and rejectIfNoRule to false to allow that check to occur.
  • 12.
    To reject un-mappedURLs with a 403 error code, use these settings grails.plugin.springsecurity.rejectIfNoRule = true grails.plugin.springsecurity.fii.rejectPublicInvocations = false To reject with the error 500 page, grails.plugin.springsecurity.rejectIfNoRule = false grails.plugin.springsecurity.fii.rejectPublicInvocations = true
  • 13.
    Defining Secured Annotations packagecom.mycompany.myapp import grails.plugin.springsecurity.annotation.Secured class SecureAnnotatedController { @Secured(['ROLE_ADMIN']) def index() { render 'you have ROLE_ADMIN' } @Secured(['ROLE_ADMIN', 'ROLE_SUPERUSER']) def adminEither() { render 'you have ROLE_ADMIN or SUPERUSER' } def anybody() { render 'anyone can see this' // assuming you're not using "strict" mode } }
  • 14.
    Simple Map inConfig.groovy grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap" grails.plugin.springsecurity.interceptUrlMap = [ '/': ['permitAll'], '/index': ['permitAll'], '/index.gsp': ['permitAll'], '/assets/**': ['permitAll'], '/**/js/**': ['permitAll'], '/**/css/**': ['permitAll'], '/**/images/**': ['permitAll'], '/**/favicon.ico': ['permitAll'], '/login/**': ['permitAll'], '/logout/**': ['permitAll'], '/secure/**': ['ROLE_ADMIN'], '/finance/**': ['ROLE_FINANCE', 'isFullyAuthenticated()'], ]
  • 15.
  • 16.
    Security TagLib ifLoggedIn <sec:ifLoggedIn> Welcome Back! </sec:ifLoggedIn> ifNotLoggedIn <sec:ifNotLoggedIn> <g:linkcontroller='login' action='auth'>Login</g:link> </sec:ifNotLoggedIn> ifAllGranted ifAnyGranted ifNotGranted
  • 17.
  • 18.
    Spring Security Service defspringSecurityService getCurrentUser() loadCurrentUser() isLoggedIn() getAuthentication() getPrincipal() encodePassword() updateRole() deleteRole()