Admin-only access to spring security ui controllers in grails - grails

I would like to restrict access only for ROLE_ADMIN users to all controllers introduced by the Spring Security UI plugin in grails. (I am using grails 1.3.7, plugins.spring-security-core=1.1.3 and plugins.spring-security-ui=0.1.2)
I can run the config script and create a blank controller for each of the various controllers the ui plugin defines, and decorate that blank controller with #Secured(['ROLE_ADMIN']), but that seems like a tedious and unnecessary approach. Is there a better way?
Thanks,
Gene

Since you're using annotations, the easiest way is to use the controllerAnnotations.staticRules config option. This is for static resources and controllers like these where you shouldn't edit them (or jump through hoops to secure them).
See section "5.1 Defining Secured Annotations" in http://grails-plugins.github.com/grails-spring-security-core/docs/manual/

Related

Grails 3: Best place for Java/Groovy Configuration clases?

The project layout is pretty straightforward for the basic stuff, but I'm looking to write some code for my security layer, generating and authenticating tokens and the like, and I'm not sure where that belongs.
For example, I want to create a class that extends WebSecurityConfigurerAdapter to authorize requests. Where does this belong? The init folder? Services?
Since you're not coding Grails artefacts (ex. controllers, domain classes) then src/main/groovy is a good place for them.

Grails security check

I am using spring-security-core and I have got more than ten controllers, I want to check whether user is logged in all the actions, I know one method of doing if(springSecurityService.isLoggedIn()) in all the actions, Is there any other way to do it, Instead of writing the same logic in all the actions/controllers
If you'd like to deny access to the actions entirely, there are a few ways of doing it.
You can put the #grails.plugins.springsecurity.Secured annotation on the controller class, or action method. You can also specify what needs authentication by URL by creating a request map. You can either create a Requestmap domain object, or you can create a static request map in your Config.groovy with the grails.plugins.springsecurity.controllerAnnotations.staticRules map.
There are more details in the Spring Security Core manual.
If it were me I would take ataylors answer one step further. Do as he said, but instead of copying and pasting the same code in all of your controllers just put it in the Controller.groovy template once then run the generate-all command. Templates are very powerful for things like this, and if you keep your templates up to date you can easily change 10 controllers, or 100 controllers as needed if/when your application evolves.
How to install templates:
http://grails.org/doc/latest/ref/Command%20Line/install-templates.html

What's the best way to save scaffolding for developer access?

I'm working on a project in Grails 2.0.RC1 and I'd like to be able to save the scaffolded controllers and views for my domain objects to have as a "low-level", developer only access to still tinker with things while being able to develop the production version of the views and controllers (with similar names, especially for controllers). I'd like to preserve them as-is, so I can re-generate them as I make updates to the domain layer, so just moving them is most likely not going to work.
I'm hoping there's a way to do some UrlMapping magic that would let me have requests for "/mgr/book" go to the scaffolded Book controller, but "/book" would go to my production controller. I can't find anything in the docs about how to have mappings for specific groups of controllers (without specifying each controller by name versus a $controller notation).
My other thought is to turn my domain layer into a plug-in and then create a separate project that would be just for the scaffolded views. This would be easier to remove before going to production, but also seems like more work, and raises the issue of running two grails apps at the same time on the same box.
I would advance you to go like your last idea. This is also my common approach:
Create an embeddable plugin for your domain model and common services. This also includes common plugins, like spring security and stuff. This will also reduce your dependency resolution time for the main-app btw.
Create an embeddable plugin for your scaffolded views. Change the template of the scaffolded controllers to require authentication and admin-group.
Your main-app uses both plugins.
This keeps your main-app clean and simple and you can still regenerate all your scaffolded views & controllers as you wish. And at least Eclipse STS hot-deployment will still work!
However there is no simple solution for seperating your scaffolded controllers URL-wise yet.
If you are using Spring Security, you should be able to use an InterceptUrlMap or RequestMap Instances to secure the controller URLs.
If your scaffold controllers are only used for scaffolding (and don't have other actions), then you should be able to use basic Secured annotations to secure the entire controller.
Then you can use the scaffolding like normal, protected behind a login.
Other security frameworks may provide similar access control.

grails spring security core - adding security to the hidden scaffolded actions

One can use things annotations like:
#Secured(['ROLE_ADMIN'])
on an actions or on an entire class (seems to work fine), to apply the security control provided by spring security core. Is there a way to apply security to the hidden scaffolded actions, without applying the security constraint to the whole class? I want to use one security constraint for some actions, and a different one for the hidden scaffolded actions.
NOTE: if this isn't immediately do-able/answerable, please disregard, as I will generate the code and include it in that way. I searched and didn't see it, so I'm just wondering if someone knows how to do / if it exists.
If you're using annotations you can secure non-annotated urls with the grails.plugins.springsecurity.controllerAnnotations.staticRules config property - see section "5.1 Defining Secured Annotations" in the docs

Extending Spring Security UI plugin (and plugins in general)

The Spring Security UI plugin, among other things, provides a registration page. On this page are 4 fields: username, email, password, and verify-password. It uses a regular architecture of controller and gsps. Staying with a single page registration for the user, I need to add a bunch of fields -- e.g. address, payment info, etc.
Any thoughts / recommendations on how to extend this plugin's page, so that I can get updated versions and incorporate them without too much re-integration. It's almost like one part of the page should go to the UI controller, and the other parts of the page should go to my controller. Note the UI controller usees regular forms (i.e. not ajax).
Thanks
To custom configure the Spring Security UI plugin I'd first of all have a look at the existing plugin code to get a handle on how it works and then run the override scripts that you require as detailed at:
http://burtbeckwith.github.com/grails-spring-security-ui/docs/manual/guide/10%20Customization.html
In your case you'd need:
grails s2ui-override register com.my.packagename
Jim.
Assuming you used the s2-quickstart script to create the domain classes, controllers, and GSPs, you have 2 options for customising the User domain class
add your custom properties (address, payment info, etc.) directly to the User domain class created by the plugin
create your own User domain class that extends the one generated by the plugin. Add your custom properties to the subclass
According to this article, the latter approach is preferable because:
because it allows you to easily update the generated user domain class
if its template ever changes. It also means you don't overly pollute
your domain model with Spring Security specifics. On the downside, you
have to deal with domain class inheritance, although the cost is
pretty minimal.
You'll also need to add the custom fields to the GSPs. The controller actions probably won't require any modifications.

Resources