Wednesday, November 04, 2009

JSecurity Mini Guide

This post is a summary on what I learned from my project during I was implementing its security function. The tools and their versions are:
  • Jsecurity 0.9
  • Grails 1.1.1
  • Grails JSecurity Plugin 0.4.1
Maybe the versions of the tools you are using are not the same as me, but I think that is not a big question and migration is not too difficult, ;)
First, let's check grails-jsecurity-plugin. As I said in my last post, this plugin is awesome! If you decide to take jescurity as the fundation of your security function, you should also consider to examine this plugin. Trust me, it will sppeed up your development. Now, it's time to see how to use it:
  1. grails install-plugin jsecurity, or you can download it from http://grails.org/plugin/shiro, then grails install-plugin plugin-path
  2. grails quick-start, this is the simplest way to use this plugin. In this step, you will get 6 security domain classes (including JsecPermission, JsecRole, JsecUser, JsecRolePermissionRel, JsecUserPermissionRel and JsecUserRoleRel), a DbRealm(JsecDbRealm), an AuthController and a login page. All of those classes will meet your need at most of time. If you are using ladp, you can try the LadpRealm provided by this plugin, using "grails create-ldap-realm".
  3. grails create-filters filters-name, this filter will inteceptor all the request, if you want to protect something, this is a good place. To protect what you want to keep, you can leaveage the access control dsl made by this plugin:
    • need authentication? accessControll { true }
    • has role? accessControll{ role('admin') }
    • is permitted? accessControll{ permission("${actionName}:${actionName}:${params.id}") }
    At this point, you have implemented an auth controller and a login page, the security domain classes and a request inteceptor, the rest of the work are:
  4. Using the tag lib to enhance your UI.
  5. Configurating WildcardPermission as the permission class of your application. In BootStrap.groovy:
    new JsecPermission(type: 'org.jsecurity.authz.permission.WildcardPermission', possibleActions: '*').save()
    Except WildcardPermission, You also can use AllPermission to represent a permission owned by administrator:
    new JsecPermission(type: 'org.jsecurity.authz.permission.AllPermission', possibleActions: '*').save()
  6. Implementing the CRUD of those security domain classes. Here, I will show you some samples:
    • add user: new JsecUser(username: 'foxgem', passwordHash: new Sha1Hash('foxgem').toHex()).save()
    • add role: new JsecRole(name: 'admin').save()
    • assign a role to a user:
    • def role= JsecRole.get(1)
      def user= JsecUser.get(1)
      new JsecUserRoleRel(role: role, user: user).save()
    • assign a permission to a user:
    • def user= JsecUser.get(1)
      def permission= JsecPermission.get(1)
      // In this sample, the target property is a wildcard permission string, eg: 'controller:action'.
      // Please to check WildcardPermission in JSecurity API document for more information.
      new JsecUserPermissionRel(permission: permission, user: user, target: params.target, actions: '*').save()
Now, you have all the knowledge about grails jsecurity plugin. Next, you should understand the fundation of this plugin - JSecurity. The more you know about it, the more you can do with it. The following diagram shows the key concepts you must know, for more information, please read jsecurity api document.

At the end of this post, I will list some helpful resources:

3 comments:

Les Hazlewood said...

Hi,

Great write-up. Also, since JSecurity is now Apache Shiro, you should definitely check out the Grails Shiro plugin:

http://grails.org/plugin/shiro

It is a little more polished and is actively being maintained (The JSecurity grails plugin is now end-of-life as I understand it).

Finally, what tool did you use to create the class/concepts diagram?

Cheers,

Les

foxgem said...

@Les
Thank you for your reminder. As for that tool, you can check out FreeMind, http://freemind.sourceforge.net/wiki/index.php/Main_Page

Les Hazlewood said...

@foxgem

Thanks for the pointer - looks good!