Adding Spring Security Plugin
Spring security plugin allows your app to authenticate your user, and blocking them from access the functions your they do not have access right.
Setup
- Add the following in
build.gradle
dependencies sectioncompile 'org.grails.plugins:spring-security-core:3.2.3'
- Open a terminal (cmd), and cd to your project directory
- Type
grails
to enter grails console in your project diretcory - User the
s2-quickstart
command.hello
is the package name,User
, andRole
is the user, and role domain class respectively. Note that UserRole domain class is also created for the user role mapping. This is for one user might have more than one role.
grails> s2-quickstart hello User Role | Creating User class 'User' and Role class 'Role' in package 'hello' | Rendered template PersonWithoutInjection.groovy.template to destination grails-app\domain\hello\User.groovy | Rendered template PersonPasswordEncoderListener.groovy.template to destination src\main\groovy\hello\UserPasswordEncoderListener.groovy | Rendered template Authority.groovy.template to destination grails-app\domain\hello\Role.groovy | Rendered template PersonAuthority.groovy.template to destination grails-app\domain\hello\UserRole.groovy | ************************************************************ * Created security-related domain classes. Your * * grails-app/conf/application.groovy has been updated with * * the class names of the configured domain classes; * * please verify that the values are correct. * ************************************************************
Now that except for accessing the root path of your site, going to all the other paths will result in the default login page.
Adding User and Role
For testing purpose, we do this in Grails Bootstrap file. Your should, however, create it somewhere else on your production, and this should only be create once if your have a persistence database. Note that all role need to have an authority start with ROLE_
prefix.
package hello class BootStrap { def init = { servletContext -> User user = new User() user.username = "username" user.password = "password" user.enabled = true user.accountExpired = false user.accountLocked = false user.passwordExpired = false user.save() Role role = new Role() role.authority = "ROLE_USER" role.save() UserRole userRole = new UserRole() userRole.role = role userRole.user = user userRole.save() } def destroy = { } }
Access Control
You might also notice that a new file application.groovy
is created under ./grails-app/conf/spring/ directory. Use this file is one of the ways to control the access right. Go to grails.plugin.springsecurity.controllerAnnotations.staticRules, we add two more lines to make it becomes:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [ [pattern: '/', access: ['permitAll']], [pattern: '/error', access: ['permitAll']], [pattern: '/index', access: ['permitAll']], [pattern: '/index.gsp', access: ['permitAll']], [pattern: '/shutdown', access: ['permitAll']], [pattern: '/assets/**', access: ['permitAll']], [pattern: '/**/js/**', access: ['permitAll']], [pattern: '/**/css/**', access: ['permitAll']], [pattern: '/**/images/**', access: ['permitAll']], [pattern: '/**/favicon.ico', access: ['permitAll']], [pattern: '/regular/**', access: ['ROLE_USER, ROLE_ADMIN']], [pattern: '/admin/**', access: ['ROLE_ADMIN']], ]
Assume your have a Regular, and an Admin controllers, now with our username/password, we can access all the paths under Regular controller, but not the Admin one. You can fine tune the path, but typing the each of the path under a controller other than using **. Remember, order does matter here!