Creating a simple login form and forcing users through it is relatively straightforward in Grails by creating a SecurityFilters.groovy under the grails-app/conf directory, as described by this tutorial.
However, there are plugins available that provide additional capabilities such as registration forms, 'captcha' controls, support for OpenID and LDAP integration, to name but a few.
There are two Grails security plugins that seem to dominate in popularity at the moment:
- Spring Scurity (aka ACEGI)
- JSecurity
Having said that, I have found the Spring Security plugin to be more than adequet for my own needs and relatively straigtforward to implement - here's a quick overview and a brief introduction on how you might configure it:
First off, you need to install the plugin:
grails install-plugin acegi
Your next job is to create what are called the 'authentication domains', of which there are three:
- Authority
- Person
- Requestmap
These are domain classes in the usual sense - they exist in the grails-app/domain directory and get referenced by the underlying authenticateService that is installed as part of the plugin.
You can create these new domain classes, based on the class-names above, as follows:
grails create-auth-domains
However, you can pass parameters to this command if you wish to create classes with alternative named - perhaps names that align more closely with your business-model and/or design - for example:
grails create-auth-domains User Role UrlMap
The above will create the same three classes, but with different names:
- User -> Person
- Role -> Authority
- UrlMap -> Requestmap
You need to be careful here - the temptation might be to start editing these classes so they contain properties that exactly match your design, especially within the User (Person) class.
While there is nothing stopping you from adding new properties, be cautious about renaming existing properties, as the underlying authenticateService specifically expects some of them to exist.
In particular, do not change the following properties:
- User (Person)
- username
- passwd
- enabled
- Role (Authority)
- authority
- UrlMap (Requestmap)
- url
- configAttribute
class User {
static hasMany = [authorities: Role]
...
}
class Role {
static hasMany = [people: User]
...
}
As you can image this also leads to a database schema that is not particularly obvious - in particular you end up with a join table called role_people that actually relates to the user table.
The next step is optional, but I recommend it to start with to get you up and running quickly:
grails generate-manager
This creates both the controllers and the views for each of the domain classes created by the create-auth-domains command.
You can replace the Role and UrlMap controllers with basic scaffolded versions if you prefer, but leave the User controller alone. Likewise, you can remove the generated Role and UrlMap views and rely on Spring scaffolding to create them on demand, but once again, leave the User views alone.
You may also notice that some new views are available under a new directory of grails-app/views/login - these are the default login forms provided by the plugin.
Once the plugin has been installed and the appropriate class, controllers and view generated (as above) you can configure it as follows.
First you need to create a Role (Authority):
http://localhost:8080/myapp/role/create
Set the authority property to ROLE_USER or similar (ie ROLE_ADMIN, ROLE_SUPPORT, etc). Note that the 'ROLE' prefix is important and is expected by the controller.
Next you need to create an UrlMap (Requestmap) entry:
http://localhost:8080/myapp/urlmap/create
Set the url property to the URI that you wish to protect access to - for example, if we had a class called Book that we wanted to protect, we might set the url property to:
/book/**
This matches everything under the book URI, which covers the list, create, edit and delete actions.
Then set the configAttribute property to a comma-delimited string of authority values defined earlier in the Role (or Authority) class - in our case this is ROLE_USER.
The plugin will now ensure that anyone wishing to access the /book URI (and anything below it) must have the ROLE_USER role.
Finally, we need to create a user account:
http://localhost:8080/myapp/user/create
The Spring Security plugin will reference the username, password and enabled fields when authenticating users.
The base of the form also displays a list of available Roles with checkboxes next to each one - this allows you associate a User with one (or more) Roles. Once the user is created, try and access the Book URI:
http://localhost:8080/myapp/book/
You should find yourself redirected to the login form provided by the plugin where you need to enter the username and password entered when you created the user.
Assuming valid details are provided the ROLE(s) associated with that account are checked - if one of these roles matches the UrlMap entry for the /book URI the permission will be granted.
This covered the basics of getting up and running with the Spring Security plugin for Grails - I have only really skimmed the surface and the above illustrates just one possible way of configuring the plugin
Please reference the tutorials for further information.
0 comments:
Post a Comment