This document provides an overview of integrating Spring Security into a Grails application. It discusses configuring domain classes like User and Role, securing URL mappings, and using helper classes like the Security TagLib and SpringSecurityService. The plugin simplifies adding authentication and authorization to Grails apps by generating initial classes and configurations and providing tags and services to check authentication status and roles.

1. Spring Security
in Grails

2. Agenda
Introduction
Domain Classes
Request Mapping to Secure URL
Helper Classes

3. Introduction
It simplifies the integration of spring security into grails.
Default values are in the plugin’s grails-app/conf/DefaultSecurityConfig.groovy.
We add application specific values in grails-app/conf/Config.groovy.
The two configurations will be merged with application values overriding the
default.
To use spring security simply integrate its plugin as:-
1. plugins{
compile ‘:spring-security-core:2.0-RC4’
}

4. 2. grails compile
3. grails s2-quickstart com User Role
It will create two controller Name (LoginController and LogoutController), one
gsp page (auth.gsp) and three domain (User, Role and UserRole).
Spring Security is more aggressively restricted, so you can do some basic
changes.,
It is Logout POST only, to allow GET access
grails.plugin.springsecurity.logout.postOnly=false
There are other more setting that you can change.

5. Domain Classes
User
Role
UserRole
Group
UserGroup
GroupRole
Requestmap Class

6. To use standard user lookup you will need minimum an User and a Role
domain.
To manage many to many relationship between User and Role you need
another domain UserRole.
If you want to store URL<->Role mapping then you need Requestmap domain.
If you want to user User/Group lookup then need Group domain.
To manage many to many relationships between User/Group and Group/Role
you need UserGroup and GroupRole respectively.

7. User Domain
Spring-security uses and authentication object to determine whether the current
user has right to perform the secured action, such as accessing the URL and
manipulating the other domain object, accessing the secured method and so
on.
The object will be created during the login.
By default plugin uses the grails User domain to manage this data. (username,
password, enabled and others.
In addition you should define authorities to retrieve the role of the user.
getAuthorities() is analogous to define static hasMany=[roles:Role]

8. Role Domain:-
Spring security also requires an Role class to define the authority to the User.
UserRole:-
The mapping relationship between ‘User' and ‘Role' is a many-to-many.
Users have multiple roles, and roles are shared by multiple users.
This approach can be problematic in Grails, because a popular role, for example, ROLE_USER, will
be granted to many users in your application.
GORM uses collections to manage adding and removing related instances and maps many-to-many
relationships bidirectionally.
The recommended approach in the plugin is to map a domain class to the join table that manages the
many-to-many, and using that to grant and revoke roles to users.

9. User user=new User(name:”Abc”,
email:”abc@nexthoughts.com,password:”123”).save(flush:true)
Role adminRole=new Role(authority:”ROLE_ADMIN”).save(flush:true)
To add role
UserRole.create(user,adminRole)
To remove role
UserRole.remove(user,adminRole)
How to create a user and assign a role to him

10. RequestMap Configuration to Secure Url
Define Secured Annotations
Simple Map in Config.groovy
RequestMap Instance saved in database
Pessimistic Lockdown
Some pages in any application is public and some pages are accessible to
only authorized person. Pessimistic approach is default and have to
configuration options:-
rejectIfNoRule
fii.rejectPublicInvocations

11. rejectIfNoRule:- (true):- then any Url that has no request mappings will be
denied to all users.
fii.rejectPublicInvocations:- (true) Un-mapped Url will trigger
IllegalArgumentException and will show error page.
fii.rejectPublicInvocations:- (false):- You will see Sorry you are not authorized
to view page.
If you want the more obvious error page, set fii.rejectPublicInvocations to true
and rejectIfNoRule to false to allow that check to occur.

12. To reject un-mapped URLs with a 403 error code, use these settings
grails.plugin.springsecurity.rejectIfNoRule = true
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
To reject with the error 500 page,
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = true

13. Defining Secured Annotations
package com.mycompany.myapp
import grails.plugin.springsecurity.annotation.Secured
class SecureAnnotatedController {
@Secured(['ROLE_ADMIN'])
def index() {
render 'you have ROLE_ADMIN'
}
@Secured(['ROLE_ADMIN', 'ROLE_SUPERUSER'])
def adminEither() {
render 'you have ROLE_ADMIN or SUPERUSER'
}
def anybody() {
render 'anyone can see this' // assuming you're not using "strict" mode
}
}

14. Simple Map in Config.groovy
grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugin.springsecurity.interceptUrlMap = [
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/assets/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll'],
'/login/**': ['permitAll'],
'/logout/**': ['permitAll'],
'/secure/**': ['ROLE_ADMIN'],
'/finance/**': ['ROLE_FINANCE', 'isFullyAuthenticated()'],
]

15. Helper Classes
Security TagLib
SpringSecurityService
SpringSecurityUtils

16. Security TagLib
ifLoggedIn
<sec:ifLoggedIn>
Welcome Back!
</sec:ifLoggedIn>
ifNotLoggedIn
<sec:ifNotLoggedIn>
<g:link controller='login' action='auth'>Login</g:link>
</sec:ifNotLoggedIn>
ifAllGranted
ifAnyGranted
ifNotGranted

17. loggedInUserInfo
<sec:loggedInUserInfo field="username"/>
username
ifSwitched
ifNotSwitched
access
noAccess
link

18. Spring Security Service
def springSecurityService
getCurrentUser()
loadCurrentUser()
isLoggedIn()
getAuthentication()
getPrincipal()
encodePassword()
updateRole()
deleteRole()