Benefits Of Using Spring Security With Grails

There are some obvious benefits to writing custom code vs using a plugin. When using a plugin you get a lot of things off the shelf rather than writing it your self. But there is always that risk of adding more bloat to your code base than is needed, debugging and finally bug fixes. Using something as mature as Spring Security has its unique advantages and in my experience a very extensible family of plugins that have got the most love from the Grails community.

1. Basic Authentication and User Management

If you are involved with writing multiple apps you would appreciate how easy it is these days to get an app running with basic user management and authentication across various platforms and Grails is no different. You could setup Spring Security Core and Spring Security UI in around 30 minutes.

• Certificate X509 authentication
• Rember-Me Cookie configurations
• Ajax authentication
• Password Hashing
• Salted Password

All out of the box!

2. Multiple ways to protect an endpoint

Request mappings

You can configure request mappings to secure URLs

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
	'/':               ['permitAll'],
	'/index':          ['permitAll'],
	'/index.gsp':      ['permitAll'],
	'/assets/**':      ['permitAll'],
	'/**/js/**':       ['permitAll'],
	'/**/css/**':      ['permitAll'],
	'/**/images/**':   ['permitAll'],
	'/**/favicon.ico': ['permitAll']
]

Annotate an endpoint directly

Simply adding annotation to a controller action like

@Secured(['ROLE_ADMIN'])
def index() {
	render 'you have ROLE_ADMIN'
}

to protect one of the endpoints or if you wanted to restrict the entire controller, simply add the annotation to the class

@Secured(['ROLE_ADMIN'])
class SecureController

3. Utility code that just shouldn’t be written

SpringSecurityService and SpringSecurityUtils let you do things like:

• Get basic details of the current user (because you don’t want to load the entire user object every time you want to deal with the current user).
• Load current user
• Check if the user has a particular role or does not have a particular role

4. Switch or operate as a different user

It can be configured to allow admins to switch user accounts while they are on the app. This is specially helpful while debugging and seeing exactly what the other user is seeing without asking their password.

5. Allows you to have a notion of Group

This makes it easier to give a group of users a set of authorities.

6. Close to 15 plugins make it easier to extend your authentication needs

• Spring Security ACL which adds support for object-level and method-level authorization using ACLs (access control list)
• Spring Security AppInfo which provides a basic UI to view the security configuration
• Spring Security CAS which adds support for single sign-on using Jasig CAS
• Spring Security OpenID which adds support for OpenID authentication
• Spring Security Facebook which adds support for Facebook authentication
• Spring Security Kerberos which adds support for single sign-on using Kerberos
• Spring Security LDAP which adds support for LDAP and ActiveDirectory authentication
• Spring Security Mock which adds support for fake/mock authentication during developement
• Spring Security OAuth2 Provider which allows your application to be an OAuth2 Provider
• Spring Security RADIUS which adds support for RADIUS authentication
• Spring Security REST which uses a token-based workflow to implement authentication for REST APIs
• Spring Security Shibboleth Native SP which adds support for container provided Shibboleth authentication.
• Spring Security Shiro which adds support for using Shiro ACLs and permissions.
• Spring Security Twitter which adds support for Twitter authentication
• Spring Security UI which provides CRUD screens and other user management workflows.