Adding Spring Security Plugin

Spring security plugin allows your app to authenticate your user, and blocking them from access the functions your they do not have access right.

  1. Add the following in build.gradle dependencies section
    compile 'org.grails.plugins:spring-security-core:3.2.3'

  1. Open a terminal (cmd), and cd to your project directory
  2. Type grails to enter grails console in your project diretcory
  3. User the s2-quickstart command. hello is the package name, User, and Role is the user, and role domain class respectively. Note that UserRole domain class is also created for the user role mapping. This is for one user might have more than one role.
grails> s2-quickstart hello User Role
| Creating User class 'User' and Role class 'Role' in package 'hello'
| Rendered template PersonWithoutInjection.groovy.template to destination grails-app\domain\hello\User.groovy
| Rendered template PersonPasswordEncoderListener.groovy.template to destination src\main\groovy\hello\UserPasswordEncoderListener.groovy
| Rendered template Authority.groovy.template to destination grails-app\domain\hello\Role.groovy
| Rendered template PersonAuthority.groovy.template to destination grails-app\domain\hello\UserRole.groovy
* Created security-related domain classes. Your            *
* grails-app/conf/application.groovy has been updated with *
* the class names of the configured domain classes;        *
* please verify that the values are correct.               *

Now that except for accessing the root path of your site, going to all the other paths will result in the default login page.

For testing purpose, we do this in Grails Bootstrap file. Your should, however, create it somewhere else on your production, and this should only be create once if your have a persistence database. Note that all role need to have an authority start with ROLE_ prefix.

package hello

class BootStrap {

    def init = { servletContext ->
        User user = new User()
        user.username = "username"
        user.password = "password"
        user.enabled = true
        user.accountExpired = false
        user.accountLocked = false
        user.passwordExpired = false

        Role role = new Role()
        role.authority = "ROLE_USER"

        UserRole userRole = new UserRole()
        userRole.role = role
        userRole.user = user
    def destroy = {

You might also notice that a new file application.groovy is created under ./grails-app/conf/spring/ directory. Use this file is one of the ways to control the access right. Go to grails.plugin.springsecurity.controllerAnnotations.staticRules, we add two more lines to make it becomes:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
	[pattern: '/',               access: ['permitAll']],
	[pattern: '/error',          access: ['permitAll']],
	[pattern: '/index',          access: ['permitAll']],
	[pattern: '/index.gsp',      access: ['permitAll']],
	[pattern: '/shutdown',       access: ['permitAll']],
	[pattern: '/assets/**',      access: ['permitAll']],
	[pattern: '/**/js/**',       access: ['permitAll']],
	[pattern: '/**/css/**',      access: ['permitAll']],
	[pattern: '/**/images/**',   access: ['permitAll']],
	[pattern: '/**/favicon.ico', access: ['permitAll']],

	[pattern: '/regular/**', access: ['ROLE_USER, ROLE_ADMIN']],
	[pattern: '/admin/**', access: ['ROLE_ADMIN']],

Assume your have a Regular, and an Admin controllers, now with our username/password, we can access all the paths under Regular controller, but not the Admin one. You can fine tune the path, but typing the each of the path under a controller other than using **. Remember, order does matter here!

  • grails/adding_spring_security_plugin.txt
  • Last modified: 2018/10/10 10:13
  • by chongtin