Spring Security is one of the basic building blocks I use pretty much every time I’m constructing a web application. It’s a very mature and incredibly powerful security framework, one of its main benefits being its versatility. There are hooks and plugs everywhere, allowing you to extend and combine basically any way you want.
Now, if you want to apply security in a Grails application you are typically pointed in the direction of the Grails Acegi Plugin, which does a rather decent job at applying basic security to your Grails application. It quickly falls short however when you need to start doing something more than the bare basics (which you pretty much always need to do); even though the plugin is based on Spring Security, far from everything in the original framework is supported in the plugin, and hooking in custom components is pretty much out of the question. In addition to this, the Acegi Plugin is haunted by a couple of pretty annoying bugs.
Bottom line: for any real-world scenario you will most likely want to fall back to the original, i.e. use the original Spring Security framework in your Grails application. Since Grails is Spring-based it shouldn’t be all that much work to set that up, right? Well basically yes, but as I set out do to it I ran into a number of problems before I got it right, so I thought I might as well line out the steps and pitfalls.
1. Download and Install the Spring Security jars
Typically, for the basic setup you should need only the
spring-security-core-tiger.jar, but depending on your requirements you might need to include more of the Spring Security binaries. Place the jars in your
lib directory of your Grails application.
2. Install Templates
Spring Security is based on an HTTP filter chain, which needs to be declared in the
WEB-INF/web.xml file of the web application. This file is normally automatically generated for you by Grails, but for the event that you need more control (such as this occasion) you can have the default file generated for you to edit. The command for this is
grails install-templates. This will generate a number of files, and the
web.xml will be ready for editing under
3. Add the Spring Security Filter Chain
There will be a number of filters defined in the
web.xml file already. Add the Spring Security filter after the other filter definitions, but before the filter-mapping entries (all the filter definitions need to be placed before the filter-mapping ones, or else evil things will happen with any additional filters generated by Grails and we’ll get in trouble when we deploy in tomcat).
Now, after the other filter-mapping entries, add the filter-mapping for the Spring Security filter:
4. Spring Security Configuration
Now we’re ready to add the Spring Security configuration XML. Note that this configuration needs to be placed in
grails-app/conf/spring/resources.xml. I initially tried to put it in
WEB-APP/WEB-INF/applicationContext.xml but due to the Grails ApplicationContext loading magic that attempt failed spectacularly. We’ll start out with a minimal Spring Security configuration just to get things going; for more information the configuration topic I’ll refer to the reference documentation.
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
<sec:user name="mattias" password="12345" authorities="ROLE_USER"/>
Another note of caution here: If there is anything incorrect in your
resources.xml Grails will happily and silently ignore this and go ahead and start anyway. Therefore, whenever you start doing stuff with your own custom Spring configuration in a Grails app it is imperative to make sure to configure your logging so that Spring warning and error messages are logged properly or you’ll be completely in the dark trying to figure out what went wrong.
As it turns out this wasn’t as bad as expected. You’re now all set to unleash the full power of Spring Security on your Grails application.