Acegi security / spring security GSP tags in grails
When developing any web application security is a common concern. Authentication, role based access and integration with AD etc. are some common concerns that java developers face. Acegi or spring security is a brilliant way to integrate declarative security in your web applications.
Architecturally the solution is a stack of servlet filters that provide hooks where the developer can add custom code to provide authentication etc. Obviously the security providers are completely customizable. The solution is brililliant and the power is in its simplicity. When using it a vanilla spring based web applicaiton getting all the filters configured can be a real toil. Luckily for grails developers the acegi plugin installs with sensible defaults and exposes the entire congiuration in a single file called SecurityConfig.groovy in grails-app/conf directory. You also have an option of generating domain classes for authorities/roles and users and a complete management and login/register UI including email notifications. Not bad for executing 3-4 commands on the prompt.
The plugin also exposes some tags that the GSP author can use in his/her page. I looked for an online reference to the tags but found nothing so I decided to write one on my own.
isLoggedIn
The isLoggedIn tag is a simple way to test if the spring security context has a principal. If the user has logged in the spring security context is populated with a “principal” object. Anything inside the tag will be renderd if the user is logged in.
Example usage:
<g:isLoggedIn>
Hello user - you are logged in!
</g:isLoggedIn>
isNotLoggedIn
The inverse of isLoggedIn
Example usage:
<g:isNotLoggedIn>
Hello user! Please register/login before giving me all your money!
</g:isNotLoggedIn>
loggedInUserInfo
This tag gets the User domain class from the security context. The tag takes in one attribute called “field” - this is the name of the java bean property (with a corresponding getter method) in the domain class. If the user is not authenticated the body will replace the value of the property.
Example usage:
<g:loggedInUserInfo field="userRealName">Not logged in user</g:loggedInUserInfo>
The above tag will display the userRealName property of your user domain class (as configured by the loginUserDomainClass inside SecurityConfig.groovy) for a logged in userĀ ‘Not logged in user’ for a unauthenticated user.
ifAllGranted
This tag is useful for customizing UI attributes - links tabs and menu items etc. The tag takes in one attribute called role which takes a comma seperated list of all roles assigned to the logged in the user. The body will only be rendered if all the roles are assigned to the user.
Example usage:
<g:ifAllGranted role="ROLE_USER,ROLE_ADMIN">
You are allowed to edit the application settings.
</g:ifAllGranted>
ifNotGranted
The usage of this tag is similar to the ifAllGranted - the only difference is that the body will be rendered if none of the listed roles belong to the logged in user.
Example usage:
<g:ifNotGranted role="ROLE_ADMIN, ROLE_DBA">
You are not allowed to modify database settings.
</g:ifNotGranted>
ifAnyGranted
Again this is similar to the ifNotGranted and ifAllGranted, the body will only be rendered if any of the listed roles are assigned to the logged in user.
Example usage:
<g:ifAnyGranted role="ROLE_ENGINEER, ROLE_MANAGER">
You are allowed to see the bug reports.
</g:ifAnyGranted>
Ed.T:
Great summary. A resource I found helpful in exploring this topic is the book Beginning Groovy and Grails From Novice to Professional. It shows several security plug-ins with detailed instructions for use.
October 2, 2008, 9:07 am