This is the second post in the Grails 3 App with Security series, so if you have questions about dependencies, please consult the first post. In this post we will setting up Spring Security in Grails 3 using Gorm-based authentication and after finishing, I'll think be happily surprised at just how easy it is to add Gorm. Unfortunately, my laptop crashed while creating this post, so if you come across any issues with the code samples or have found a better method for anything I have presented, please provide a comment at the bottom. The github repository https://github.com/dspies/grails-3-with-security with this code will be updated shortly.
Before we begin, let's get some clean up out of the way. Grails 3 (or more specifically Spring Boot) will scream at you about having second level cache enabled, but not configured after you add the Gorm classes, so let's just disable second level cache for now. I added the following just before the datasource properties, but you are welcome to add it anywhere in application.yml or configure second level cache as needed.
grails-app/conf/application.yml
...
hibernate:
cache:
use_second_level_cache: false
use_query_cache: false
---
datasource:
...
With that out of the way, let's begin by adding our Gorm domain classes (User, Authority, and UserAuthority). If you have been using Spring-Security-Core plugin for any length of time, the following classes should look pretty familiar because I basically copied from the Grails 2 plugin.
grails-app/domain/example/User.groovy
package example
class User {
String username
String password
boolean enabled = true
boolean accountExpired
boolean accountLocked
boolean credentialsExpired
static constraints = {
username blank: false, unique: true
password blank: false
}
static mapping = {
password column: '`password`'
}
Set getAuthorities() {
UserAuthority.findAllByUser(this).collect { it.authority }
}
} // Blogger really wants to close the authority 'tag', so here go Blogger
grails-app/domain/example/Authority.groovy
package example
class Authority {
String authority
static mapping = {
cache true
}
static constraints = {
authority blank: false, unique: true
}
}
grails-app/domain/example/UserAuthority.groovy
package example
import org.apache.commons.lang.builder.HashCodeBuilder
class UserAuthority implements Serializable {
private static final long serialVersionUID = 1
User user
Authority authority
boolean equals(other) {
if (!(other instanceof UserAuthority)) {
return false
}
other.user?.id == user?.id &&
other.authority?.id == authority?.id
}
int hashCode() {
def builder = new HashCodeBuilder()
if (user) builder.append(user.id)
if (authority) builder.append(authority.id)
builder.toHashCode()
}
static UserAuthority get(long userId, long authorityId) {
UserAuthority.where {
user == User.load(userId) &&
authority == Authority.load(authorityId)
}.get()
}
static boolean exists(long userId, long authorityId) {
UserAuthority.where {
user == User.load(userId) &&
authority == Authority.load(authorityId)
}.count() > 0
}
static UserAuthority create(User user, Authority authority, boolean flush = false) {
def instance = new UserAuthority(user: user, authority: authority)
instance.save(flush: flush, insert: true)
instance
}
static boolean remove(User u, Authority r) {
if (u == null || r == null) return false
int rowCount = UserAuthority.where {
user == User.load(u.id) &&
authority == Authority.load(r.id)
}.deleteAll()
rowCount > 0
}
static void removeAll(User u) {
if (u == null) return
UserAuthority.where {
user == User.load(u.id)
}.deleteAll()
}
static void removeAll(Authority r) {
if (r == null) return
UserAuthority.where {
authority == Authority.load(r.id)
}.deleteAll()
}
static constraints = {
authority validator: { Authority r, UserAuthority ur ->
if (ur.user == null) return
boolean existing = false
UserAuthority.withNewSession {
existing = UserAuthority.exists(ur.user.id, r.id)
}
if (existing) {
return 'userAuthority.exists'
}
}
}
static mapping = {
id composite: ['authority', 'user']
version false
}
}
With the domain classes for our principal/user and authorities/roles in place, let's load two users, user and admin. You could add these in the SecurityConfiguration class, but since most people reading this will be more familiar with Bootstrap, we'll go that route.
Bootstrap.groovy
import example.*
import grails.util.Environment
class BootStrap {
def init = { servletContext ->
switch (Environment.current) {
case Environment.DEVELOPMENT:
def user = new User(username: 'user', password: 'user', enabled: true, accountExpired: false, accountLocked: false, credentialsExpired: false ).save(failOnError: true)
def admin = new User(username: 'admin', password: 'admin', enabled: true, accountExpired: false, accountLocked: false, credentialsExpired: false ).save(failOnError: true)
def roleUser = new Authority(authority: 'ROLE_USER').save(failOnError: true)
def roleAdmin = new Authority(authority: 'ROLE_ADMIN').save(failOnError: true)
UserAuthority.create(user, roleUser, true)
UserAuthority.create(admin, roleUser, true)
UserAuthority.create(admin, roleAdmin, true)
break
case Environment.PRODUCTION:
break
}
}
def destroy = {
}
}
At this point, we have not accomplished much in terms of authentication, so let's change that now. In order to use the domain classes above, we need to:
- Create a custom UserDetails class,
- Create a custom UserDetailsService,
- Add a bean for userDetailsService in resources.groovy, and
- Configure authentication with the bean in the SecurityConfiguration class
First, let's create a GrailsUser that will do little more than extend Spring Security User class. The one thing it adds is the `id` field that will hold the Gorm identifier for the User class. Again, we will raid the Spring-Security-Core plugin from Grails 2:
src/main/java/example/GrailsUser.java
package example;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import java.util.Collection;
public class GrailsUser extends User {
private static final long serialVersionUID = 1;
private final Object id;
/**
* Constructor.
*
* @param username the username presented to the
* DaoAuthenticationProvider
* @param password the password that should be presented to the
* DaoAuthenticationProvider
* @param enabled set to true
if the user is enabled
* @param accountNonExpired set to true
if the account has not expired
* @param credentialsNonExpired set to true
if the credentials have not expired
* @param accountNonLocked set to true
if the account is not locked
* @param authorities the authorities that should be granted to the caller if they
* presented the correct username and password and the user is enabled. Not null.
* @param id the id of the domain class instance used to populate this
*/
public GrailsUser(String username,
String password,
boolean enabled,
boolean accountNonExpired,
boolean credentialsNonExpired,
boolean accountNonLocked,
Collection authorities,
Object id) {
super(username, password, enabled, accountNonExpired, credentialsNonExpired,
accountNonLocked, authorities);
this.id = id;
}
/**
* Get the id.
* @return the id
*/
public Object getId() {
return id;
}
}
Next, we will create our custom UserDetailsService. Like the domain classes and UserDetails class, there is no point writing something that someone else has already done better, so we will use the UserDetailsService from the Spring-Security-Core plugin in Grails 2.
grails-app/services/example/GormUserDetailsService
package example
import grails.transaction.Transactional
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.core.userdetails.UsernameNotFoundException
import org.springframework.security.core.GrantedAuthority
import org.springframework.security.core.authority.SimpleGrantedAuthority
@Transactional
class GormUserDetailsService implements UserDetailsService {
@Transactional(readOnly = true, noRollbackFor = [IllegalArgumentException, UsernameNotFoundException])
UserDetails loadUserByUsername(String username, boolean loadRoles) throws UsernameNotFoundException {
def user = User.findWhere(username: username)
if (!user) {
log.warn "User not found: $username"
throw new UsernameNotFoundException('User not found')
}
Collection authorities = loadAuthorities(user, username, loadRoles)
createUserDetails user, authorities
}
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
loadUserByUsername username, true
}
protected Collection loadAuthorities(user, String username, boolean loadRoles) {
if (!loadRoles) {
return []
}
Collection userAuthorities = user.authorities
def authorities = userAuthorities.collect { new SimpleGrantedAuthority(it.authority) }
return authorities ?: [NO_ROLE]
}
protected UserDetails createUserDetails(user, Collection authorities) {
new GrailsUser(user.username, user.password, user.enabled, !user.accountExpired, !user.credentialsExpired,
!user.accountLocked, authorities, user.id)
}
} //Blogger now wants to close the GrantedAuthority 'tag', so
Next, let's add a userDetailsService bean to resources.groovy for the GormUserDetailsService. Adding a bean to resources.groovy will take care of adding a Hibernate session and transaction to the service and allow us to use Gorm classes in the service.
grails-app/conf/spring/resources.groovy
import example.GormUserDetailsService
import simpleappwithsecurity.SecurityConfiguration
beans = {
webSecurityConfiguration(SecurityConfiguration)
userDetailsService(GormUserDetailsService)
}
Finally, let's replace the code for in-memory authentication:
grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy
@Autowired
protected void globalConfigure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser('user').password('user').roles('USER')
.and()
.withUser('admin').password('admin').roles('ADMIN');
with our shiny GormUserDetailsService
grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy
import org.springframework.security.core.userdetails.UserDetailsService;
...
@Autowired
UserDetailsService userDetailsService
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers('/admin/**').hasAnyRole('ADMIN')
.antMatchers('/home/**').hasAnyRole('USER', 'ADMIN')
.antMatchers('/').permitAll()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll()
}
@Autowired
protected void globalConfigure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
}
Now fire up the app and you should be able to authenticate against the Gorm domain classes
Adding Password Encoding
The next post handles adding a password encoder (BCrypt) to the application