I spent a couple of weeks trying to figure out what solution I should bring to this question I posted. Since I couldn't find a full documentation for Shiro-Grails integration, I am looking for some other framework (like Spring) to secure our lightweight web based Grails application.
The application is couple of months old and it is not a huge application. Not more 20 persistent classes. However, I believe it will grow up soon. But, security is not implemented yet and I want to make sure that I will find the best security framework (for me the best might include: free source, well documented, easy to integrate with Grails, extensible, and last but not least more secured).
Any suggestions?
Steve is right - it is between SpringSecurity and Shiro.
I am using Shiro - the documentation isn't as good as it could be, but the *-Permissions are great.
You grant permission by specifying "controller:action" tuples. And you can use lists and wildcards:
"*:list,show" //everything read-only
"book:*" //everything allowed on the book class
"*:*" //admin
As a result, you have all permissions as whitelist (based on controller:action) in one file.
What I've seens so far for SpringSecurity is that you often base the permissions on URLs - that's IMHO an easy way to miss to secure a controller or action. see Securing actions in Grails 2 rc3 for example :-)
PS: if anybody knows how this kind of *-Permission is done in SpringSecurity, please post a comment!
The standard Grails security framework is Spring Security. Check out the docs
Pretty much it is between SpringSecurity and Shiro.
Spring Security seems to be becoming the standard for Grails as doelleri said, it should provide anything you could ever wish for and is well documented and designed. Shiro I found to be functionally on a par for the basic security tasks but I feel the docs let it down in comparison. There is a plugin (now not being maintained) called Nimble that uses Shiro as a basis, Nimble is powerful and provides a lot of functions such as user management GUI out-of-the-box.
I just started with Spring Security for a new project and am now finding it very powerful and simple to use, and am glad I made the change. But in the end it is up to your project/organisational needs.
Related
For a new Spring (Boot) application I'm considering using Spring WebFlow. As other applications we use are using Thymeleaf for views, base templates are available and I very much want to reuse those.
The problem however is that Spring WebFlow and Thymeleaf don't work together. I did a little research and concluded that I'd probably have to extend/replace at least WebFlow's FlowResourceFlowViewResolver and MvcViewFactoryCreator. As I haven't found any information on WebFlow+Thymeleaf I'm wondering if:
Has anybody done this before and have some code for me to reuse?
As I seem to be the only one so far who considers WebFlow+Thymeleaf, are there reasons for not doing so? (except for the current limitations of Webflow)
In our enterprise app, we would like to put cross cutting concerns like logging, metricing as aspects. We already have the aspectj advices ready(from our existing java app) but I am not finding a way to integrate aspectj with Grails.
I am already aware of beforeInterceptor and afterInterceptor, but these need to be done in all Controllers and Services, is there an easier way to do this.
My preferred approach would be to create annotations for e.g #Metrics on any method in my grails application and it should get adviced. Has anyone done this, any links/resources/examples would be great to have.
Maybe you can take a look at Grails Filters which can be used for cross cutting concerns such as logging etc:
http://grails.org/doc/2.1.0/ref/Plug-ins/filters.html
Regarding using of annotations, maybe this article could be helpful, but I haven't checked it:
http://manbuildswebsite.com/2010/03/15/simple-aspects-using-annotations-in-grails/
Best of luck.
I'm investigating technologies to build a commercial SaS site for a shop that predominantly uses Microsoft technologies.
The idea is that the site will have pluggable modules, with features that are either free or paid. Customers will be able to chop & change between features, & have their billing adjusted automagically as they do so.
If I were rolling this myself, I'd use:
.NET 4 / VS2010 / C# / ReSharper / NUnit / Moq
NDependencyInjection
SQL Server
LINQ to SQL
ASP.NET MVC 3
Authorize.net (or possibly billing hand-off to SAP)
Selenium
... and hand-roll an IOC-based plugin architecture (e.g., there is some good discussion on ASP.NET MVC plugins here and here).
But at this point I'm wondering - has this been done before? I'm imagining some sort of vaguely CMS-like architecture with built-in plug-in, commerce & subscription stuff. All of that, rolled up into an 'off the shelf' solution, either FOSS or commercial.
Can anyone recommend such a solution, or is it simply a 'roll your own' job? I think DotNetNuke might be worth looking at, but would appreciate feedback from people who've used it in production for this sort of task.
Edited to add: DotNetNuke appears set on continuing with WebForms, which is a big turn-off for me at least. As one of the commenters on that post said, it's an evolutionary dead-end.
Edited again: Silverlight is definitely out for this project. We need to support a wide range of devices, including non-Microsoft mobile devices like Android and iOS tablets & phones. We do need a reasonably rich UI but we'll be doing that in Javascript.
For a project which needed plugable modules, I've used MEF (which comes built in to .net 4.0).
By using this great code for compiling views into a dll it was easy to use MEF to load additional views and controllers making extensability easy.
The only other thing i'd do differently to your suggestments is to use Linq to Entites rather than Linq to Sql. The latest code-first version makes it very quick to get things up and running
Martin
I've done a similar solution for a VOIP PBX solution. I've made everything myself using nhibernate, autofac and a couple of own libraries. It's not really different from doing a normal application.
The most important aspect you need to understand is that ALL modules are loaded at ALL time. Theres no way around that if you need a solution that works well (you could jungle with one app domain per customer but that's not very inefficient).
You should instead control authorization using the standard .NET CAS (Code Access Security) solution. You do this by creating your own IPrincipal and IIdentity. The principal should correspond the tenant (organization) while IPrincipal corresponds to the user.
I use a ITenantEntity interface (contains the tenant db id) on all of my classes/entities which should belong to a tenant. It's used to validate that the currently logged on user really have access to the entity requested.
The hardest thing is if your application is multithreading (for instance if you got a background thread or timer doing some maintenance). The reasons is that it's quite easy to forget to switch to the correct IPrincipal which makes all your CAS checks fuck up. The easiest way to go around that is to create a custom Timer and Thread classes which forces you to specify a IPrincipal (or at least makes it easy to switch).
Another common approach is to use the tenantId argument on all service / repository methods. But that isn't a very robust solution imho.
Why would anyone roll these in an 'off the shelf' solution?
These parts of the architecture are quite independent and you can substitute for whatever suits your needs.
If I know Rails, what new ideas/patterns would I learn if I looked at Grails?
I have no intention to move to Grails and no need for a Java stack, but if there are neat ideas I could learn from Grails I'd like to learn them.
Grails has taken totally different direction. It is very hard to compare Grails and Rails.
Grails is not framework. It is stack of frameworks. You can find all the features you find in plain Spring, Hibernate, Quartz, Compass, Sitemesh frameworks. So at the end you get all the best from all these frameworks with convention-over-configuration.
However, I really want to mention about very interesting idea introduced in Grails about modulizing the application into plugins. Plugin in Grails is minimized independent project. Separating application logics into plugins allows to share your code to community and keep application in separate modules which results in easier testing and easier development.
Grails has at least two patterns I'm aware of that I believe do not exist in Rails:
Command objects (and auto binding request params to them)
Conversation based request handling using web flows
I'm new to grails. I'd like to give it a whirl by implementing a new feature or two into an existing Java EE application. The current Java EE app is a fairly standard Spring MVC/Hibernate app running on Tomcat. Looking through the documentation, it looks like I should be able to leverage all of the current business logic that's written in Java.
I've only been able to find tutorials on creating new grails applications. Does anyone know of a tutorial for integrating with an existing Java EE app? If not a tutorial, any recommendations or suggestions on where to start?
Whether or not those features go live would depend on my experience with Grails and if I think it's worthwhile using it going forward. The goal would to either:
Decide Grails isn't for me (and not deploy grails).
Decide it is for me, and all future development on this app would be in Grails with a full eventual port over.
I'm afraid I don't know of any such tutorials, but my immediate thought would be that porting an application while also combined with learning Grails could be a big uphill.
I haven't done this sort of thing before, so these are just musings on how I might approach doing this..
Since GSPs are not analogous to JSPs and since Controllers in Java are statically typed, whereas Grails controllers have magic methods wired onto them, I would probably want to re-write those again in Grails from scratch since their transferability isn't obvious - the logic should transfer but the boilerplate of the old code isn't altogether necessary for the most part.
Maybe take a simple story/feature, keep the existing Services it uses and get them wired in via Spring in Grails. Then try making one for one copies of what you have in Java with corresponding Controller/GSP and Domains. That should give you some feel of what stuff you need to get off the ground for the port.
Your biggest struggle, from people who I have heard of doing this, might well be trying to re-use your existing hibernate stuff in Grails.
Just my tuppence, not so much a whole answer...
Insert Grails into an Spring app is not easily achievable, you can try to insert the old Spring app into a Grails app, and continue from that point.
Here you've some info 'bout using the hibernate mappings and java classes.
You also have to have to add the beans of the Sprint app to the Grails app. You can insert them into the ApplicationContext directly or use the resources.xml or resources.groovy.
It depends on how you've written the Java EE app. You cannot drop it into the Grails runtime and expect it to work with no tweaking, especially the 'controller' part of your app (since grails uses its own conventions for that). The UI, if its jsp, may be a bit better, since you can probably rename them to gsp, and have it work. tag libs works straight away, and normal java classes work straight away obviously. Hibernate objects may need tweaking - though i suppose it may just be easier to redo those using grails.
-my 2cents