Gails Acegi Security on the RaceTrack app from - fshami - home

saucecopywriterInternet και Εφαρμογές Web

2 Φεβ 2013 (πριν από 4 χρόνια και 2 μήνες)

94 εμφανίσεις

Before we see how grails
-
acegi
-
plugin plays within a Grails application, let’s get some intro
definitions

(taken from the reference sites mentioned)

out of the way in case you are not familiar
with the terms.

Groovy is a powerful high level language for the Java platform which compiles down to Java
bytecode.

Think of it as a Ruby or Python like language that is tightly integrated with the Java platform
-

allowing you the same powerful and concise coding syntax

as Ruby or Pyt
h
on but allowing you
to stay on the JVM and protect your investment in J2SE, J2EE and all the plethora of great useful
Java code out there.

Grails is a full stack framework and attempts to solve as many pieces of the web development
puzzle
through the core technology and it's associated plug
-
ins. Included out the box are things
like:



An easy to use Object Relational Mapping (ORM) layer built on
Hibernate



An expressive view technology calle
d Groovy Server Pages (GSP)



A controller layer built on
Spring

MVC



A command line scripting environment built on the Groovy
-
powered
Gant



An

embedded Jetty container which is configured for on the fly reloading



Dependency injection with the inbuilt
Spring

container



Support for internationalization (i18n) built on Spring's core MessageSo
urce concept



A transactional service layer built on Spring's transaction abstraction

All of these are made easy to use through the power of the
Groovy

language and the extensive use
of Domain Specific L
anguages (DSLs)



Acegi Security is a powerful, flexible security solution for enterprise software, with a
particular emphasis on applications that use
Spring
. Using Acegi Security provides your
applicat
ions with comprehensive authentication, authorization, instance
-
based access control,
channel security and human user detection capabilities.

For more information on any of the technologies mentioned above please refer to the reference
list.



I was
going through the Grails tutorial
,
Getting Started with Grails

by
Graeme
Rocher,

and
implementing the RaceTrack sample application. This guide book, is a great start for learning
about Grails, and gives

you a glimpse of how powerful Grails is
.

The point of this article is to show you how to integrate the
Grails
-
Acegi

plugin (I think it
works great) with the RaceTrack application from the guide book. The guide book uses Grails
Interceptors and forces you
r

Grails controllers to implement a base class which
is one way of
securing your application
,

but I think taking advantage of the plug
-
in gives you more flexibility
on how to apply s
ecurity and saves you much time
.


For
our example, you will need to downloa
d


grails
-
1.0
-
RC3
-
SNAPSHOT
,

grails
-
acegi
-
0.2

release for the plug
-
in and
JDK1.5 at least.


I won’t go into the details of how to create the RaceTrack application, as all of the details are in
the
Getting Started with Grails
. So to be able to follow up, you will probably have to download
it.



Figure 1


Directory structure after creating the racetrack application

You

do not have to complete all the steps mentioned in the guide book to put this grails
-

acegi
plug
-
in to test. All you really need is the domain classes, and your controllers (sca
ffolding you
r

controllers is good enough for testing).


Figure2


domain classes

directory

As you can see, the “domain” directory only contains the two domain classes Race, and
Registration.
In

the figure below we only have the two
scaffold
ed
corresponding
controllers
RaceController

and
RegistrationController
.


Your controllers’ code:


class RaceController { def scaffold = Race

}

class RegistrationController { def scaffold = Registration

}

Figure3


controllers


directory

And that is all we
need to do to get our application up and running. Notice figure4, after you start
the racetrack application , you should be able to see the 2 controllers you created in the list.


Figure4


Index page before Grails
-
Acegi Plugin.

Now let us install the gr
ails
-
acegi plugin and take advantage of the role based security this plugin
will provide the racetrack application.

In the command prompt , navigate to “racetrack” directory and run this command:



grails install
-
plugin _path_to_/grails
-
acegi
-
0.2.zip

What t
his command does, it creates a plug
-
in directory under the “racetrack” directory (figure5).




Figure 5


plugins dir created after installing the plugin

The next step is to create domain classes that will represent User Accounts, and Roles.

Run command
:



grails create
-
auth
-
domains AuthUser Role


T
his

will create two domain classes called AuthUser, Role and will also setup AcegiConfig.
And
this will also create the Login and Logout controllers.


AuthUser

(figure 6)


is
basically the domain class that will

represent your users.

So for every new user you are actually create a new record in the Auth
_
User

table.


Role

(figure 6)


is the domain class the will represent security roles that every user is allowed to
have. You assign roles to users.


AcegiConfig

(figure 7)



In short,in this class you can find information about what is the user
domain class
(in this case AuthUser), role domain class (in this case Role), whether to use
dynamic vs. static secured urls, and how to setup email alerts (turns them off
or on).



Figure 6


AuthUser.groovy, Role.groovy and Requestmap.groovy (used in AcegiConfig)



Figure 7


AcegiConfig.groovy created


Now to be able to actually create new Users, and create new Roles and assign roles to users, we
will have to run couple

commands in order to generate the CRUD controls for Domains and
generate registration for controllers and Domains.

Management pages



grails generate
-
manager


this

command generates CRUD
for

Domains.


User registration pages



grails generate
-
registration

To give the user the ability to register, and create their username and password, with the default
security role assigned to that user.




Figure 8


CRUD controll
ers (Login and Logout controllers are

created when the Auth and Role
domains are created)




Figure 9


controllers available

after grails
-
acegi
-
plugin installation




Click on RoleController and let’s create a User role, and a Manager role. Notice in the “Role
Name” field, I only entered “user”. The RoleController will take care of converting t
hat “user” to
“ROLE_USER” before its store
d

in the database. Repeat the same step for a manager role.



Figure 10


create a user role


Go back to home page, and click on UserController to create a user with a ROLE_USER role,
and anothe
r user with a
ROLE_MANAGER role, as in Figure 11
.


Figure 11


create a “user” and enable the account and assign ROLE_USER

Since t
he Roles and Users are now read
y
let’s

start securing out RaceTrack application.
Now
there are two ways to how you can secure your URLs. On
e is dynamic via RequestmapController,
and the other is via editing the AcegiConfig.groovy file.

Lets start securing our application dynamically, and set up some rules.

A manager can access any page in the appliaction.

1
-

/race

2
-

/registration

A user can only a
ccess read
-
only pages which are

1
-

/race/list

2
-

/race/show

3
-

/registration/list

4
-

/registration/show


How do these access rules translate in our RequestmapController, first click on
RequestmapController, click on create a new requestmap. In the request field
enter “/race/**
”,

in
the role field enter
“manager”, what this does is, it creates a rule that
allows a

manager to access
all urls under /race. Do the same thing for “registration”.



Figure 12


manager access rules


Now
let us

create the access rules fo
r the user (note that we usually also want to give the manager
the same rights as the user also)
. In the URL field type in “/race/list/**” and in the role field type
in “user, manager”. This will create an access rule, that for the list page under race, bo
th a
manager and a user can access it. Note that you will needed to specify both roles, as if you only
enter user, it will override the previous rule for manager and will only allow users with
ROLE_USER access to access the /race/list page.

Repeat the prev
ious step for the rest of the rules defined previously to create all access rules for
race and registration pages.




Figure 13


creating rule for /race/list/** page


give access to users and managers


Navigate back to home page, click on either RaceCon
troller or RegistrationController (the
controllers for the views we secured), you will notice that you will be redirected automatically to
a Login page.

Login as a manager, and you will be able to access and view, and create, update , and delete
records fr
om the database.




Figure 14


Logging in as a user


Now navigate back to home page, click on the LogoutController, this will invalidate your user
session.

Click on LoginController and login as a user, then point your browser to

http://localhost:8080/racetrack/race/list
, you should be able to see the race/list view (Figure 15).

Remember that we only allowed manager
s

to create new records and users can only access List
and Show views
.

So

if your try to click on New Race (
http://localhost:8080/racetrack/race/create
),
while logged in as user, Acegi will prevent you from navigating to the create
view,

hence
blocking the user from creating a new record. Hopefully you will provide a better informative
error page/message than th
e default
one (
Figure 16).


Figure 15


Race List view




Figure 16


Access denied error page







References:

Groovy :
http://groovy.codehaus.org

Grails:
http://gr
ails.codehaus.org

Acegi:
http://www.acegisecurity.org/