Grails: Is the Spring Security Plugin Too Powerful for Simple Security

Question

We have several Grails applications that use a shared plugin that among other things provides them with basic security. We're going to be adding other types of authentication in the future so the idea of using the Spring Security plugin has come up. However, I'm wondering if it's too powerful for our fairly basic needs.

Currently we use Grails filters that run before any URL is accessed and perform security checks. The initial authentication is handled by looking for a specific encrypted POST variable or cookie (being send from another closed source application) and after decrypting it, verifying the details in our database. If everything checks out we consider the user logged in (and also have their numeric user ID from the encrypted data). All of the users have the same access, except for a small handful that have greater access. These are defined in a table that contains their numerical ID.

However, we're hoping to add the ability to log directly into these Grails applications by using Active Directory credentials, credentials provided by the closed sourced system's LDAP server, and in the not too distance future via a CAS server.

My initial approach was to look for libraries that allow the shared plugin to interface with these various systems and do simple authentication against them. However, I noticed that Spring Security seems to have plugins for all these various types of authentication, which would speed up development. However, the module itself seems fairly complex and geared towards much more advanced setups which means we might spend a lot of time just setting up Spring Security in order to save time with their LDAP, CAS, etc. plugins.

Any thoughts/comments/etc. are highly appreciated.

Also, if we were to use the Spring Security plugin, could someone please comment and let me know if the following kind of setup is possible ...

We'd like to avoid having to create database tables for the various applications for authentication purposes. We basically would like to tell Spring Security that if a user passed authentication, they are authenticated. There are no roles, no groups, nothing fancy (except for the few applications that will have one extra role/group that provides a user with extra permissions ... for these applications a database table will obviously be needed).

We'd also like to default to always requiring security for everything and add extra code only to suppress this to allow non authenticated access. The idea behind this is that in case a developer forgets to add the Spring Security markup code to a controller or action it will already default to always needing authentication.

Also we'd still need to keep the original methods of authentication via en encrypted POST variable send from another application or an encrypted cookies. Is it possible to build this into Spring Security?

And lastly can the Spring Security plugin store a numeric user ID retrieved after authentication to identify the user instead storing the actual username that was used during the authentication?

Answer 1

Well, you have quite a lot of questions there within your post. I will do my best to answer the ones I can recall.

Firstly, Spring Security is complex. That's because real security is hard. However, Spring Security and to some extent the Grails plugin are both very configurable and customizable. This will work to your advantage, once you get through the high learning curve.

You will likely save yourself a lot of headaches and in the end time and effort by investing in Spring Security now, since your requirements are growing and becoming more complex.

I would recommend reading the Spring Security documentation , the Spring Security Grails documentation and as many SO posts tagged with spring-security as you can. It also wouldn't be a bad idea to invest in a few well written books covering Spring Security.

Those are my high level thoughts/comments.

As far as what is possible with Spring security (your other questions).

1. Yes, you can setup Spring Security to not use any type of database tables.
2. You can write your won security authentication filter that does your custom authentication via params/etc.
3. By default everything is locked down in the latest Grails Spring Security plugin, and if you use the interceptUrlMap you need only alter which URLs have no security or differing security than the default of IS_AUTHENTICATED_FULLY .
4. Using a custom UserDetailsService and UserDetails you can use a numeric ID or any other details you want within your principal .

To summarize, with the right effort and understanding of Spring Security you can make it address your needs. However, it's not a short and quick process and will require a lot of reading.

Answer 2

Well Springs Security is one of the best security plugins available nowadays. This is highly customizable and congigurable.

By default every url is locked in spring security. But you can set all url's unlocked by adding a configuration in config.groovy

grails.plugin.springsecurity.controllerAnnotations.staticRules = ['/**' : ['permitAll']]

the above will make all your url's accessible without logging in. No you can put restrictions on all the url's explicityle on controller level.

1. You need not have any Roles table in database, you can use an Enum insted if you have only Admin and User roles.
2. You can even configure your sprigsecurity to use any column of the database to authenticate the user, be it a numeric or string type. All you need to do is override the UserDetailsService and UserDetails service class. BY this all your custom settings gets overriden over the original configurations.

Also we'd still need to keep the original methods of authentication via en encrypted POST variable send from another application or an encrypted cookies. Is it possible to build this into Spring Security?

for this also their is good support in springsecurity. you can have your authentication done at external sources and get it configured with sprinfsecurity.