Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Grails preauthenticated spring security resources definition
import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils
import org.codehaus.groovy.grails.plugins.springsecurity.SecurityFilterPosition
class BootStrap {
def init = { servletContext ->
// Add the bean 'j2eePreAuthenticatedProcessingFilter' into the filter chain
SpringSecurityUtils.clientRegisterFilter('j2eePreAuthenticatedProcessingFilter', SecurityFilterPosition.PRE_AUTH_FILTER)
}
def destroy = {}
}
//set the providerNames to include 'preAuthenticatedAuthenticationProvider'
grails.plugins.springsecurity.providerNames = ['preAuthenticatedAuthenticationProvider', 'anonymousAuthenticationProvider']
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider
import org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter
import org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource
import org.springframework.security.core.authority.mapping.MapBasedAttributes2GrantedAuthoritiesMapper
import org.springframework.security.core.authority.GrantedAuthorityImpl
import org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint
// Place your Spring DSL code here
beans = {
/*
* Pre-authenticated bean setup defined below
*/
/**
* this service uses the security token to provide the granted authorities for the user
*/
preAuthenticatedGrantedAuthoritiesUserDetailsService(PreAuthenticatedGrantedAuthoritiesUserDetailsService)
/**
* this provider uses pre-authenticated mechanism for authentication
*/
preAuthenticatedAuthenticationProvider(PreAuthenticatedAuthenticationProvider) {
preAuthenticatedUserDetailsService = ref('preAuthenticatedGrantedAuthoritiesUserDetailsService')
}
/**
* This bean allows you to map container-level 'role' names to
* the GrantedAuthorities used by spring. note that although the setter method
* for the attributes2grantedAuthoritiesMap supposedly can accept a String: String
* map, the groovy Spring BeanBuilder fails to work correctly, so we must explicitly
* define lists of GrantedAuthorityImpls
*/
mappableRoles(MapBasedAttributes2GrantedAuthoritiesMapper){
attributes2grantedAuthoritiesMap=[
admin: [new GrantedAuthorityImpl('ROLE_ADMIN')],
user: [new GrantedAuthorityImpl('ROLE_USER')],
architect: [new GrantedAuthorityImpl('ROLE_ARCHITECT')]
]
}
/**
* this AuthenticationDetailsSource sets the GrantedAuthorities defined
* by the mapping into the Authentication token for use later by the UserDetailsService
*/
j2eeAuthDetailsSource(J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource){
mappableRolesRetriever=ref('mappableRoles')
userRoles2GrantedAuthoritiesMapper=ref('mappableRoles')
}
/**
* This filter starts the auth processing from the request, and retrieves the
* username from the servlet request's userPrincipal, and sets the Authentication
* token details via the DetailsSource.
*/
j2eePreAuthenticatedProcessingFilter(J2eePreAuthenticatedProcessingFilter) {
authenticationManager = ref('authenticationManager')
authenticationDetailsSource = ref('j2eeAuthDetailsSource')
}
/**
* We don't want the normal spring security authentication to run, so we set the entry point
* to always respond with HTTP 403 response
*/
authenticationEntryPoint(Http403ForbiddenEntryPoint)
}
<web-app xmlns="http://java.sun.com/xml/ns/javaee" metadata-complete="true" version="2.5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- snipped most content -->
<!--
You will need to define a grails gsp login form that submits a POST to the url 'j_security_check', using parameters
'j_username' and 'j_password' for authentication.
in this example it is located at /login/preauth
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Container Authentication</realm-name>
<form-login-config>
<form-login-page>/login/preauth</form-login-page>
<form-error-page>/login/preauthError</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>web</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<!-- uncomment if you require HTTPS
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
-->
</security-constraint>
<security-role>
<role-name>base-user-role</role-name>
</security-role>
<!-- snipped most content -->
</web-app>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment