«
»

Grails spring-security-core Usage Tips

There are a number of web app-layer authentication and authorization plug-ins for Grails.  These plug-ins provide essential functionalities for user log-in, access control, single sign-on etc.  Spring-security-core is the latest one built on top of  the powerful Java security framework Spring-Security-3.0(formerly Acegi security).  Spring-Security-3.0 provides supports for numerous authentication methods, such as OpenID, LDAP, JAAS etc. Here are a few common usage tips for this plug-in.

1. Implement your own authentication provider
Spring-Security-Core is still pretty new and may not provide you with a default authentication provider. But fortunately Spring-Security framework is interface based framework and you can easily implement the org.springframework.security.authentication.AuthenticationProvider interface for your own authentication protocal. Your code sketch may look like this:

public class MyAuthenticationProvider implements AuthenticationProvider {
……
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// Your custom authentication integration code goes here
}

public boolean supports(Class<? extends Object> authentication)  {
……
}
}

The Authentication object can be viewed as a simple security token to hold information about your log-in status, user name/password, user information(UserDetailsService)etc, sort of like a building access badge. You need to refer to SpringSource reference doc on more about Authentication details.

Once you implement the provider interface, place it in Grails conf/spring/resource.xml with a bean name such as myAuthenticationProvider, and then activate the provider in Grails config.groovy with one line:
grails.plugins.springsecurity.providerNames = ['myAuthenticationProvider']

Now, you are done with your own custom authentication integration and ready to use the log-in form and other security service in your application. Spring-Security-Core comes with most features you need at HTML form, service and GSP tag level for security integration and deployment.

Since Spring-Security web authentication is servlet filter based, it always automatically prefix your app-context-path in the process. So be careful when configure the application related URL properties. For example, when login failed, you want to redirect the user back to the log-in page wherever it is. The proper relative url should be the one w/o context path:
${request.forwardURI.substring(request.contextPath.length())} Notice here we do not use http referer as it may not work with some older browser.

2. Session Fixation Prevention
Spring-Security-Core by default automatically migrates your existing session into the new session upon successful authentication. This prevents sessionId based attack.
Another added benefit is that it will integrate smoothly with your current session-based application, such as shopping-cart, Spring Webflow etc. User can log-in at any point of the session flow.  But notice log-out will wipe out the security session along with your application session data as well. So you may need a warning message for end-user to logout during middle of your application session flow. If some session data must be processed before logout, you can implement a logout handler and register it at config.groovy.

3. Password management
Another common feature is managing expired, locked and or temporary password etc. Many applications have slightly different way to use it. Spring-Security-Core has four methods defined on UserDetailsService( a component in the above Authentication object)
- isAccountNonExpired()
- isAccountNonLocked()
- isCredentialsNonExpired()
- isEnabled()

You can implement any of these methods to suit your application needs to manage invalid password and redirect user to a proper error handling page when the exception happens.

Spring-Security-Core is a feature rich security plug-in that can satisfy most of you application authentication and authorization needs with easy-to-use interface for extending/customization. The underlying Spring Security-3.0 is also very powerful and you are assured most of your application security requirement can be met.

References

1. grails-spring-security-core/

2. http://static.springsource.org/spring-security/site/

Advertisement

Tags:

This entry was posted on September 6, 2010 at 4:25 pm and is filed under grails authentication and authorization, grails password management, grails security plug-in, logout, Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.