Secure Your Application Using Spring Security Core

Posted By : Rohit Sharma | 31-Dec-2014

grails

Configure Spring SecurityCore In Grails App:

First we have to install SpringSecurityCore plugin into our project.

Edit the conf/BuildConfig.groovy and modify the plugin.

plugins {
        // plugins for the build system only
        build ":tomcat:7.0.42"

        // plugins for the compile step
        compile ":scaffolding:2.0.0"
        compile ':cache:1.1.1'

        // plugins needed at runtime but not for compilation
        runtime ":hibernate:3.6.10.1" // or ":hibernate4:4.1.11.1"
        runtime ":database-migration:1.3.5"
        runtime ":jquery:1.10.2" // <-- If using 1.8.3, update to this version
        runtime ":resources:1.2"

        compile ":spring-security-core:1.2.7.3"  // <-- Added
    }

Then run (optionally grails clean) grails compile while in project's directory to have the plugin installed.

The next step is to have Spring Security Core create the required models and controllers . Drop into Grails shell (just type grails in project's directory) and run s2-quickstart to get it done.

C:\Users\Source\secureapp>grails
| Enter a script name to run. Use TAB for completion:

grails> s2-quickstart  SecAppUser SecAppRole
*******************************************************
* Created domain classes, controllers, and GSPs. Your *
* grails-app/conf/Config.groovy has been updated with *
* the class names of the configured domain classes;   *
* please verify that the values are correct.          *
*******************************************************

The script created 3 domain classes in domain/secureapp/: SecAppUser and SecAppRole which obvioulsy stand for user and role entities respectively, and SecAppUserSecAppRole which is the many-to-many relationship between them --It's been implemented like this instead of GORM's standard many-to-many feature for performance reasons. Also in controllers/ it created LoginController and LogoutController which along with views/login/auth.gsp and views/login/denied.gsp form our project's login/logout pages.

Spring Security Core is configured properly, just one minor point: since we're using in-memory database right now we have to create the users/roles each time we run the application (this is not an issue if you use a persistent database like PostgreSQL). Edit conf/BootStrap.groovy to tell Grails about our sample users/roles.


import com.bahmanm.secureapp.SecAppRole
import com.bahmanm.secureapp.SecAppUser
import com.bahmanm.secureapp.SecAppUserSecAppRole

class BootStrap {
  def init = { servletContext ->
    def adminRole = new SecAppRole(authority: 'ROLE_ADMIN').save(flush: true)
    def userRole = new SecAppRole(authority: 'ROLE_USER').save(flush: true)
    def testUser = new SecAppUser(username: 'admin', enabled: true, password: 'admin')
    testUser.save(flush: true)
    SecAppUserSecAppRole.create testUser, adminRole, true
    assert SecAppUser.count() == 1
    assert SecAppRole.count() == 2
    assert SecAppUserSecAppRole.count() == 1
  }
  def destroy = {
  }
}

create a controller and secure it using the foundations we just laid: grails create-controller secureapp.SensitiveContentController. Edit the file and make it render something very trivial for now:

package secureapp

import org.springframework.security.access.annotation.Secured
/*
 If you're using older Grails version like 2.2.x series use the
 following instead:
   import grails.plugin.springsecurity.annotation.Secured
 */

class SensitiveContentController {
  
  @Secured(['ROLE_ADMIN'])
  def index() {
    render "Some sensitive content"
  }
}