Not to be confused with my prior post based on the Acegi plugin…the Spring/Grails folks (more specifically Burt Beckwith) has released a new Spring Security Core Plugin. As per the docs, the plugin greatly simplifies the work of getting Spring Security 3 to work within grails….and I for one very much agree.
Similar to my last post where I used the Acegi plugin, I will list the actions one must take to get a trivial grails based app going with the new spring security core plugin. These steps are very much right from the docs with only a few exceptions

  • HTTPS Channel Security(similar to my last post) support will be added.
  • Netbeans IDE will be used instead of the command line. (as much as possible)

Let’s get started:

  1. Set up grails within Netbeans and create a new project as described in my initial post.
  2. Download the new Spring Security Core Plugin as it is currently not in the default plugin list.
  3. Manually install the plugin using the Netbeans interface by right clicking the project and selecting the “Grails Plugins…” command then click on the “New Plugins” tab as shown below.
  4. Once you have provided the plugin path…press the “Install”
  5. Next you will want to run the “s2-quickstart” command with “User” and “Role” as parameters. I was unable to get Netbeans to properly run this command so I resorted to using the command line.
  6. The script creates the “User”,”Role” and “UserRole” domain classes as well as the required controllers.
  7. As per the tutorial, create a controller that must be secured for testing purposes by running the “create-controller” command and “Secured” as the name parameter.
  8. Modify the controller to render some output and secure it to the Role of “Admin”.
    package springsecuritycore
import grails.plugins.springsecurity.Secured

class SecuredController {

    @Secured(['ROLE_ADMIN'])
   def index = {
      render 'Secure access only'
   }
}
  9. Modify the Bootstrap.groovy file to add a default user.
    import com.test.Role
import com.test.User
import com.test.UserRole
class BootStrap {
   def springSecurityService
   def init = { servletContext ->
      def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush: true)
      def userRole = new Role(authority: 'ROLE_USER').save(flush: true)
String password = springSecurityService.encodePassword('password')
      def testUser = new User(username: 'me', enabled: true, password: password)
      testUser.save(flush: true)
      UserRole.create testUser, adminRole, true
      assert User.count() == 1
      assert Role.count() == 2
      assert UserRole.count() == 1
   }
}
  10. At this point if you run the application and attempt to access the “SecuredController” you will prompted by the default login page for the username=”me” and password=”password”. This was configured in the Bootstrap.groovy file.
  11. To configure Channel Security for HTTPS support you will add the following code to your Config.groovy file
    grails.plugins.springsecurity.secureChannel.definition = [
   '/login/**':         'REQUIRES_SECURE_CHANNEL'
]
  12. Now run the command with “run-app” command with the “-https” flag you will find https channel security is configured to run on the “login” url.
  13. That is pretty much everything…. and please keep in mind thatĀ if you are using the postgres database … the domain class “User” will conflict with postgres (which has a table defined as “User) and must be mapped to a different table (see this post and response by Burt Beckwith on the grails forum).
  14. Hope this was helpful to someone and many thanks to the grails community and the plugin creator.

Project code is found on Github here.