Setting Up the Stark Security Plugin

If you're upgrading from a previous version to 0.4.3 and want to take advantage of the fix for session fixation attacks, you'll need to manually insert the last two lines shown here in grails-app/conf/StarkSecurityConfig.groovy:

authenticationManagers = [
        [
            // This is the default authenticaiton manager.
            name: 'AM',
            processesUrl: '/j_spring_security_login',
            alwaysUseDefaultTargetUrl: false,
            authenticationSuccessUrl: '/access/loginSuccess',
            authenticationFailureUrl: '/access/authenticationFailure',
            invalidateSessionOnSuccessfulAuthentication: true,  //  <-- THIS ONE
            migrateInvalidatedSessionAttributes: true,  // <- AND THIS ONE

New installations of 0.4.3 get this automatically.

Getting up and running with the Stark Security plugin is a simple three-step process:

1. Install the plugin

Install the plugin in the usual way:

grails install-plugin stark-security

2. Configure the Plugin

You can do this in one of two ways, depending on your needs:

A. Full Installation

If you're starting from scratch with your authentication/authorization scheme, this is the way to go. It will install:

• Authorization logic
• DAO authentication
• LDAP authentication

grails stark-security-install-full

The following files will be installed in your application's grails-app directory:

• conf/StarkSecurityConfig.groovy -- all config properties live here
• services/UserLookupService.groovy -- service for DAO authentication
• domain/User.groovy -- domain object used for DAO authentication
• domain/Role.groovy -- domain object that holds role definitions for authorization
• controllers/AccessController.groovy -- basic login/logout controller
• views/access/login.gsp -- basic login form

B. Install without DAO Implementation

If you're planning on using LDAP authentication only, or you already have a DAO-based authentication scheme in place (or plan to roll your own), this is your installation method. It will install:

• Authorization logic
• LDAP authentication

grails stark-security-install-without-dao

The following files will be installed in your application's grails-app directory:

• conf/StarkSecurityConfig.groovy -- all config properties live here
• domain/Role.groovy -- domain object that holds role definitions for authorization
• controllers/AccessController.groovy -- basic login/logout controller
• views/access/login.gsp -- basic login form

3. Add your roles

This can be done any number of ways, depending on how you work with your database. The simplest example assumes you're running against an in-memory database -- then you can simply add the roles in conf/Bootstrap.groovy like this:

import org.codehaus.groovy.grails.plugins.starksecurity.PasswordEncoder
class BootStrap {
    def init = { servletContext ->
        // Create some roles
        def ROLE_SUPER_USER = new Role(authority: 'ROLE_SUPER_USER',
                                       description: 'Super user')
            ROLE_SUPER_USER.save()
        def ROLE_REPORT_READER = new Role(authority: 'ROLE_REPORT_READER',
                                          description: 'Report reader')
            ROLE_REPORT_READER.save()
        // Create a user, and add the super user role
        // You do this only if you're using the DAO implementation, 
        // for LDAP users don't live in your DB.
        def superUser = new User(username: 'superUser',
                                 password: PasswordEncoder.encode('password', 'SHA-256', true))
            superUser.save()
            superUser.addToRoles(Role.findByAuthority('ROLE_SUPER_USER'))
            superUser.save()
    }
     def destroy = {
     }
}

Note that you will want to update the domain/Role.groovy class with static references to the roles you create. In this example, it would look like this:

The prefix 'ROLE_' in your role names is important -- it is a Spring Security requirement that your roles are named that way.

class Role implements GrantedAuthority {
    String description
    String authority
    static final ANONYMOUS = 'IS_AUTHENTICATED_ANONYMOUSLY'
    static final SUPER_USER = 'ROLE_SUPER_USER'
    static final REPORT_READER = 'ROLE_REPORT_READER'
    static final ALL_ROLES = [  ANONYMOUS, SUPER_USER, REPORT_READER ]
    static final ADMIN_ROLES = [ SUPER_USER, REPORT_READER ]
    int compareTo(Object o) {
        if (o instanceof Role) {
            return this.authority.compareTo(o.authority)
        } 
         return 0
    }
    String toString() {
        return authority
    }
}

Using Stark Security with your Grails Application

That's it, Stark Security is installed and configured. Now when you're coding your controllers, you simply add a section to each controller that declares the access level for each of its methods. It should look like this:

class BookController {
    static authorizations = [  index: Role.ALL_ROLES,
                                list: Role.ALL_ROLES,
                                show: Role.ADMIN_ROLES,
                              delete: [Role.SUPER_USER], // [.....] for users
                                edit: Role.ADMIN_ROLES,
                              update: Role.ADMIN_ROLES,
                              create: Role.ADMIN_ROLES,
                                save: Role.ADMIN_ROLES
                            ]
. . .

For URLs that do not map to controller methods, there is a similar section in conf/StarkSecurityConfig.groovy where you can open up access for those types of paths.

Configuring Security Event Listeners

This part if optional -- not required for basic use of the Stark Security plugin

Since version 0.3, you can optionally configure security event listeners/handlers with stark security. These can be configured like this in grails-app/conf/StarkSecurityConfig.groovy:

starksecurity {
    . . .
    // Optionally, you can handle authentication and authorization events as they happen.  In the section
    // below, you can add/edit handlers for any events that can be found in the packages
    // org.springframework.security.event.[authentication|authorization].
    // The event class name must be prefixed with the last portion of the package name, as shown in the
    // default handlers below.
    eventHandlers = [
        'authentication.AbstractAuthenticationEvent': { e, appContext -> 
            // This handles the superclass of all authentication events -- put logic here to do something for all authentication events
        },
        'authorization.AbstractAuthorizationEvent': { e, appContext -> 
            // This handles the superclass of all authorization events -- put logic here to do something for all authorization events 
        }
    ]
}

Participating in Spring Security Filter Chain

This part if optional -- not required for basic use of the Stark Security plugin

Since version 0.4, you can optionally participate in various stages of the Spring Security filter chain. Closures can be configured as follows in grails-app/conf/StarkSecurityConfig.groovy:

// The following interceptors are also optional -- they allow participation in the Spring Security filter chain at various
    // points.  To halt the processing of the filter chain at any of these points, throw an exception and
    // comment out/omit the 'chain.doFilter(request, response)' statement.
    onBeforeAuthentication = { request, response, chain, appContext ->
        // Add code here if you need to intercept the request before it hits the authentication processing filter.
        // For instance, you may want to store the value of a "remember me" checkbox in a cookie.
        chain.doFilter(request, response)
    }
    onBeforeAuthorization = { request, response, chain, appContext ->
        // Add code here if you need to intercept the request before it hits the authorization processing filter.
        chain.doFilter(request, response)
    }
    onAfterAuthorization = { request, response, chain, appContext ->
        // Add code here if you need to intercept the request after it hits the authorization processing filter.
        chain.doFilter(request, response)
    }

Stark Security Plugin -- version 0.4.3

The Stark Security plugin -- 'stark' as in simple, but also 'strong' in Swedish -- is an implementation of Spring Security for Grails. The purpose of the plugin is two-fold, as its name implies: to be simple to install, configure, and maintain, and to strongly secure your web application.

To make a long story short, securing your application with Stark Security looks like this:

class BookController {
    static authorizations = [
        index: Role.ALL_ROLES,
        edit: [Role.ROLE_EDITOR]
    ]
    def index = { Book.list() }
    def edit = {
        // Some logic to edit a book
    }
. . .

So there are two features in particular that differentiates Stark Security from the two standard security plugins for Grails (acegi and jsecurity):

• Lock-down or 'pessimistic' approach. Instead of leaving the web application open and relying on configured rules to lock down certain areas, the Stark Security plugin locks down everything by default. Developers open up access on a controller-method basis as they are coding the controllers.
• Authorization mappings by convention. The determination of which roles can access which URLs is declared by convention in every controller, right next to the eventual URL end-points (controller methods) as shown in the example above. This makes for straight-forward implementation and maintenance of the security rules.

Versions

• 0.4.3 CURRENT -- release notes
• 0.4.2 -- release notes
• 0.4.1 -- release notes
• 0.4 -- release notes
• 0.3.1 -- release notes
• 0.3 -- release notes
• 0.2.2 -- release notes | docs
• 0.2.1 -- release notes
• 0.2 -- release notes
• 0.1 -- docs

About Stark Security

• Author: Ola Bildtsen
• Contact: info@bildtsen.com
• Defect Reports/Feature Requests: Codehaus JIRA (Log against the proper component and version)