Upgrading Spring Security Core Plugin in grails
Posted By : Santosh Singh | 11-Oct-2014
1.) Package changes.
All classes are now in the grails.plugin.springsecurity package or a subpackage so you just need to change package name.
org.codehaus.groovy.grails.plugins.springsecurity.NullSaltSource is Now in grails.plugins.springsecurity.NullSaltSource
2.) Secure URLs.
In previous versions URLs are open by default but this aproach is change in newer version, now all unmaped URLs are by default secure and not accesible to public.
We face the problem when we have so many JS/CSS and we can't tell each URL to waither its public or secure.
To solve this issue we have two aproach.
Spring provide two configuration in Config.groovy file.
2a.) If rejectIfNoRule is true (the default) then any URL that has no request mappings (an annotation, entry incontrollerAnnotations.staticRules or interceptUrlMap, or a Requestmap instance) will be denied to all users. The other option is if rejectPublicInvocations and if it is true (the default) then un-mapped URLs will trigger an IllegalArgumentException and will show the error page.
Dont get confuse. just put both false an by default all URL will be public and aceecible.
grails.plugin.springsecurity.rejectIfNoRule = false grails.plugin.springsecurity.fii.rejectPublicInvocations =false
2b.) If you want to set rejectIfNoRule or rejectPublicInvocations to true just becouse you are working on some kind of site which is not public spring have another aproach for you that is staticRules.
We can put selected URL partens permit to all.
grails.plugin.springsecurity.controllerAnnotations.staticRules = [ '/secure': ['ROLE_ADMIN'], '/index': ['permitAll'], '/index.gsp': ['permitAll'], '/assets/**': ['permitAll'], '/**/js/**': ['permitAll'], '/**/css/**': ['permitAll'], ]
3.) Logout POST only
By default only POST requests are allowed to trigger a logout with newer versions. To allow GET access, just put postOnly to false.
grails.plugin.springsecurity.logout.postOnly = false
4.) Password hashing algorithm
The default password hashing algorithm is change. no need to worry spring gives a way to use old database passwords with latest plugin.
just check your current password hashing alggorithm and set them into conf.groovy
grails.plugin.springsecurity.password.algorithm = 'SHA-256' grails.plugin.springsecurity.password.hash.iterations = 1
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Santosh Singh
Santosh is a seasoned software developer working on JAVA, J2EE, Spring, Grails, HTML, JavaScript, jQuery, Ajax, AngularJS, SQL, developed 3+ applications. He loves to play soccer and reading books in free time.