Kev's Development Toolbox

Search Amazon

Home
Logon

Back to Main Category list

Back to postings in this category

2006-05-22 20:57:43.0 Securing a Grails application using Spring and Acegi Security

Since a Grails application uses Spring, it's possible to configure an application using Grails to use Acegi Security. This example shows what is required to provide role-based URL security for a Grails application.

web.xml config

I found that the ContextLoaderServlet did not work with Acegi Security - it didn't find the applicationContext file. Replacing it with the Listener configuration did work:

  • Comment out the ContextLoaderServlet in web-app/web.template.xml
  • Add the following lines: 
    
<context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>

<listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

Add the following filter configuration and mapping to wire in the Acegi Security beans to the web app: 


<filter>
    <filter-name>Acegi Filter Chain Proxy</filter-name>
    <filter-class>
	  org.acegisecurity.util.FilterToBeanProxy
    </filter-class>
    <init-param>
	  <param-name>targetClass</param-name>
	  <param-value>
		org.acegisecurity.util.FilterChainProxy
	  </param-value>
    </init-param>
</filter>
      
<filter-mapping>
  <filter-name>Acegi Filter Chain Proxy</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

This filter mapping configuration will send all requests through the Acegi filter to check authentication if needed (depending on URL patterns configured in the next section.

Acegi Bean Configuration

Add the following bean definitions to the applicationContext.xml file in web-app/WEB-INF: 


   <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
     <property name="providers">
       <list>
         <ref bean="daoAuthenticationProvider"/>
       </list>
     </property>
</bean>

<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
</bean>

   <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
     <property name="userMap">
       <value>
           admin=password,ROLE_ADMIN
       </value>
     </property>
</bean>

<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
  <property name="defaultTargetUrl"><value>/</value></property>
  <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
</bean>

<!-- prior to ACEGI RC2, was org.acegisecurity.intercept.web.SecurityEnforcementFilter -->
<!--
RC2 notes:
org.acegisecurity.intercept.web.SecurityEnforcementFilter has moved to a new location and name, 
org.acegisecurity.ui.ExceptionTranslationFilter. In addition, the "filterSecurityInterceptor" property on the old 
SecurityEnforcementFilter class has been removed. This is because SecurityEnforcementFilter will no longer 
delegate to FilterSecurityInterceptor as it has in the past. Because this delegation feature has been 
removed (see SEC-144 for a background as to why), please add a new filter definition for FilterSecurityInterceptor 
to the end of your FilterChainProxy. Generally you'll also rename the old SecurityEnforcementFilter entry in your FilterChainProxy 
to ExceptionTranslationFilter, more accurately reflecting its purpose. If you are not using FilterChainProxy 
(although we recommend that you do), you will need to add an additional filter entry to web.xml and use 
FilterToBeanProxy to access the FilterSecurityInterceptor.
-->
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint">
        <ref bean="authenticationEntryPoint"/>
    </property>
</bean>

      <bean id="httpSessionIntegrationFilter"
            class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
            <property name="context">
                  <value>
                        org.acegisecurity.context.SecurityContextImpl
                  </value>
            </property>
      </bean>
      
<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
  <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
  <property name="forceHttps"><value>false</value></property>
</bean>
      
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

<bean id="accessDecisionManager" class="org.acegisecurity.vote.UnanimousBased">
    <property name="allowIfAllAbstainDecisions">
        <value>false</value>
    </property>
    <property name="decisionVoters">
        <list>
           <ref local="roleVoter"/>
        </list>
    </property>
</bean>

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager">
        <ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager">
        <ref bean="accessDecisionManager"/></property>
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
           PATTERN_TYPE_APACHE_ANT
            /secure/**=ROLE_ADMIN
            /item/create=ROLE_ADMIN
            /item/delete/*=ROLE_ADMIN
            /item/edit/*=ROLE_ADMIN
            /category/create=ROLE_ADMIN
            /category/delete/*=ROLE_ADMIN
            /category/edit/*=ROLE_ADMIN
            
        </value>
    </property>
</bean>

      <bean id="filterChainProxy"
            class="org.acegisecurity.util.FilterChainProxy">
            <property name="filterInvocationDefinitionSource">
                  <value>
                        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                        PATTERN_TYPE_APACHE_ANT
                        /**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
                  </value>
            </property>
      </bean>

This configuration uses the org.acegisecurity.userdetails.memory.InMemoryDaoImpl 'in memory' configuration and defines one user, 'admin', with password 'password', and a role of 'ROLE_ADMIN'.

The org.acegisecurity.ui.webapp.AuthenticationProcessingFilter bean defines the HTML form to be used to perform the authentication, using the page acegilogin.jsp.

The FilterSecurityInterceptor bean ties together all the configuration beans, and allows you to specify URL patterns and roles that are allowed to access those URLs. The URLs are relative to the Grails app. In this example, roles are assigned to Item and Category controllers, and various CRUD actions on those controllers.

Example login page

This is the simplest case HTML page with a form for the logon. Create this file, acegilogin.jsp in the web-app directory: 


<html>

<body>
<h3>Logon</h3>
<form action="j_acegi_security_check" method="POST">
<p>UserID: <input type="text" name="j_username">
<p>Password: <input type="text" name="j_password">
<p><input type="submit" value="Logon">
</form>

</body>

</html>
View Comments: [5] | Add a Comment

Comments:

Date added: 2006-05-23 19:38:26.0 , by: Anon
Subject: runtime problems
I have pasted your code verbatim into my project and when I submit the login form I get a 404 error like this... HTTP ERROR: 404 Not Found RequestURI=/myproject/j_acegi_security_check Any suggestions? Thanks.

Date added: 2006-05-23 19:47:39.0 , by: Anon
Subject: runtime problems
I have pasted your code verbatim into my project and when I submit the login form I get a 404 error like this... HTTP ERROR: 404 Not Found RequestURI=/myproject/j_acegi_security_check Any suggestions? Thanks.

Date added: 2006-05-24 07:58:17.0 , by: Kevin
Subject: Missing filter config in web.template.xml

Sorry, in my cutting and pasting into the article I had missed out the Acegi filter and filter mapping config that also needs to be in the web.template.xml file. I've added it above. The part that was missing was this - add this into the relevant section in your web.template.xml file: 


<filter>
    <filter-name>Acegi Filter Chain Proxy</filter-name>
    <filter-class>
	  org.acegisecurity.util.FilterToBeanProxy
    </filter-class>
    <init-param>
	  <param-name>targetClass</param-name>
	  <param-value>
		org.acegisecurity.util.FilterChainProxy
	  </param-value>
    </init-param>
</filter>
      
<filter-mapping>
  <filter-name>Acegi Filter Chain Proxy</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>


Date added: 2006-05-24 10:49:10.0 , by:
Subject: Works now
Thanks for the update. This works for me now. Do you happen to know if it is possible to use the acegi jsp custom tags in a .gsp?

Date added: 2006-08-07 02:52:11.0 , by: Cool
Subject: Cool!
Cool!.. Nice work!

BBWeblog2 Designed and Developed by
BulletinBoard Designed and Implemented by Mindbeans Software Consulting. Copyright (C) 2003 MindBeans Software Consulting and Kevin Hooke.
Usage and Disclaimer
| Build 101707 v2_beta4 | Developed on SourceForge Powered By HIBERNATE