Last updated by mbrevoort 4 years ago

Stark Security Plugin -- version 0.4.2

The Stark Security plugin -- 'stark' as in simple, but also 'strong' in Swedish -- is an implementation of Spring Security for Grails. The purpose of the plugin is two-fold, as its name implies: to be simple to install, configure, and maintain, and to strongly secure your web application.

To make a long story short, securing your application with Stark Security looks like this:

class BookController {

static authorizations = [ index: Role.ALL_ROLES, edit: [Role.ROLE_EDITOR] ]

def index = { Book.list() }

def edit = { // Some logic to edit a book }

. . .

So there are two features in particular that differentiates Stark Security from the two standard security plugins for Grails (acegi and jsecurity):

  • Lock-down or 'pessimistic' approach. Instead of leaving the web application open and relying on configured rules to lock down certain areas, the Stark Security plugin locks down everything by default. Developers open up access on a controller-method basis as they are coding the controllers.
  • Authorization mappings by convention. The determination of which roles can access which URLs is declared by convention in every controller, right next to the eventual URL end-points (controller methods) as shown in the example above. This makes for straight-forward implementation and maintenance of the security rules.
Stark Security currently supports any number of DAO and LDAP authentication providers, from a single or multiple login forms. Requests for additional providers (or feature requests/defect reports) can be filed here (make sure you select 'Grails-StarkSecurity' as the Component).

Setting Up the Stark Security Plugin

If you're upgrading from version 0.3.x, you can now optionally participate at various points of the Spring Security filter chain. See how under below.
If you're upgrading from version 0.2.x, you can now optionally configure security event listeners/handlers in the config file. See how under below.
If you're upgrading from version 0.1, please follow the upgrading instructions instructions below.

Getting up and running with the Stark Security plugin is a simple three-step process:

1. Install the plugin

Install the plugin in the usual way:

grails install-plugin stark-security

2. Configure the Plugin

You can do this in one of two ways, depending on your needs:

A. Full Installation

If you're starting from scratch with your authentication/authorization scheme, this is the way to go. It will install:

  • Authorization logic
  • DAO authentication
  • LDAP authentication
Execute:

grails stark-security-install-full

The following files will be installed in your application's grails-app directory:

  • conf/StarkSecurityConfig.groovy -- all config properties live here
  • services/UserLookupService.groovy -- service for DAO authentication
  • domain/User.groovy -- domain object used for DAO authentication
  • domain/Role.groovy -- domain object that holds role definitions for authorization
  • controllers/AccessController.groovy -- basic login/logout controller
  • views/access/login.gsp -- basic login form

B. Install without DAO Implementation

If you're planning on using LDAP authentication only, or you already have a DAO-based authentication scheme in place (or plan to roll your own), this is your installation method. It will install:

  • Authorization logic
  • LDAP authentication
Execute:

grails stark-security-install-without-dao

The following files will be installed in your application's grails-app directory:

  • conf/StarkSecurityConfig.groovy -- all config properties live here
  • domain/Role.groovy -- domain object that holds role definitions for authorization
  • controllers/AccessController.groovy -- basic login/logout controller
  • views/access/login.gsp -- basic login form
If you will be using LDAP authentication or customized DAO implementation(s), you will need to edit conf/StarkSecutiryConfig.groovy as appropriate (see comments in the file for assistance).

3. Add your roles

This can be done any number of ways, depending on how you work with your database. The simplest example assumes you're running against an in-memory database -- then you can simply add the roles in conf/Bootstrap.groovy like this:

import org.codehaus.groovy.grails.plugins.starksecurity.PasswordEncoder

class BootStrap {

def init = { servletContext ->

// Create some roles new Role(authority: 'ROLE_SUPER_USER', description: 'Super user').save() new Role(authority: 'ROLE_REPORT_READER', description: 'Report reader').save()

// Create a user, and add the super user role // You do this only if you're using the DAO implementation, for LDAP users don't live in your DB. def user = new User(username: 'superUser', password: PasswordEncoder.encode('password', 'SHA-256', true)) user.save() user.addToRoles(Role.findByAuthority('ROLE_SUPER_USER')) user.save() }

Note that you will want to update the domain/Role.groovy class with static references to the roles you create. In this example, it would look like this:

The prefix 'ROLE_' in your role names is important -- it is a Spring Security requirement that your roles are named that way.

class Role implements GrantedAuthority {

String description String authority

static final ANONYMOUS = 'IS_AUTHENTICATED_ANONYMOUSLY' static final SUPER_USER = 'ROLE_SUPER_USER' static final REPORT_READER = 'ROLE_REPORT_READER'

static final ALL_ROLES = [ ANONYMOUS, SUPER_USER, REPORT_READER ] static final ADMIN_ROLES = [ SUPER_USER, REPORT_READER ]

int compareTo(Object o) { if (o instanceof Role) { return this.authority.compareTo(o.authority) } return 0 }

String toString() { return authority } }

Using Stark Security with your Grails Application

That's it, Stark Security is installed and configured. Now when you're coding your controllers, you simply add a section to each controller that declares the access level for each of its methods. It should look like this:

class BookController {

static authorizations = [ index: Role.ALL_ROLES, view: Role.ALL_ROLES, report: Role.ADMIN_ROLES, edit: [Role.SUPER_USER] ]

. . .

For URLs that do not map to controller methods, there is a similar section in conf/StarkSecurityConfig.groovy where you can open up access for those types of paths.

Configuring Security Event Listeners

This part if optional -- not required for basic use of the Stark Security plugin

Since version 0.3, you can optionally configure security event listeners/handlers with stark security. These can be configured like this in grails-app/conf/StarkSecurityConfig.groovy:

starksecurity {

. . .

// Optionally, you can handle authentication and authorization events as they happen. In the section // below, you can add/edit handlers for any events that can be found in the packages // org.springframework.security.event.[authentication|authorization]. // The event class name must be prefixed with the last portion of the package name, as shown in the // default handlers below. eventHandlers = [ 'authentication.AbstractAuthenticationEvent': { e, appContext -> // This handles the superclass of all authentication events -- put logic here to do something for all authentication events }, 'authorization.AbstractAuthorizationEvent': { e, appContext -> // This handles the superclass of all authorization events -- put logic here to do something for all authorization events } ] }

Participating in Spring Security Filter Chain

This part if optional -- not required for basic use of the Stark Security plugin

Since version 0.4, you can optionally participate in various stages of the Spring Security filter chain. Closures can be configured as follows in grails-app/conf/StarkSecurityConfig.groovy:

// The following interceptors are also optional -- they allow participation in the Spring Security filter chain at various
    // points.  To halt the processing of the filter chain at any of these points, throw an exception and
    // comment out/omit the 'chain.doFilter(request, response)' statement.
    onBeforeAuthentication = { request, response, chain, appContext ->
        // Add code here if you need to intercept the request before it hits the authentication processing filter.
        // For instance, you may want to store the value of a "remember me" checkbox in a cookie.
        chain.doFilter(request, response)
    }
    onBeforeAuthorization = { request, response, chain, appContext ->
        // Add code here if you need to intercept the request before it hits the authorization processing filter.
        chain.doFilter(request, response)
    }
    onAfterAuthorization = { request, response, chain, appContext ->
        // Add code here if you need to intercept the request after it hits the authorization processing filter.
        chain.doFilter(request, response)
    }

Logging Out

To Logout, link to the URL "/j_spring_security_logout". This will accomplish the logout and will redirect to whatever is set logoutUrl to in StarkSecurityConfig.groovy.

Upgrading from Version 0.1

The format for specifying DAO authentication providers changed in version 0.2 -- some options were introduced to allow for arbitrary password encoding algorithms.

In order to have a 0.1 configuration file work with version 0.2 and above, you'll need to modify your configured DAO authentication providers to the new format.

For instance, the default DAO authentication provider ('userLookupService') should change from this:

'userLookupService',
to this:
[
    userDetailsService: 'userLookupService',
    passwordEncoding: [algorithm: 'SHA-256', encodeBase64: true]
],

You'll need to do this for all DAO authentication providers you're using in StarkSecurityConfig.groovy.

Versions

About Stark Security