In my previous post “Production-Grade Acegi Security for Grails“, readers correctly commented that the underlying technology for the plugin was rather outdated. Some of the assertions in that post were based on an early version of the standard Acegi plugin for Grails, and the underlying security library was an outdated acegi version.
To make a long story short, I have since upgraded the plugin to the latest version of SpringSecurity (2.0.4 at the time of writing). The plugin is available here as part of a demo application (just like in the previous post):
SpringSecurityGrailsPluginDemo.zip
Prior to doing this update, I reviewed the latest Grails plugins available for both JSecurity and Acegi (yes, it should be renamed ‘SpringSecurity’). Although they are now considerably easier to configure and do provide LDAP authentication alongside simple DAO authentication, they still lack some important aspects of web application security that I was attempting to address:
- Pessimistic authorization scheme. Default to no access for anybody to anything, open up holes as needed. This may not work for everybody, but my goal is to reduce the risk of leaving unintended content out there (given how easy it is to implement a Grails controller method).
- Ease of implementation. A developer should readily be able to configure a controller method to a certain security level at the time of feature implementation. While I believe security should be an implementation-time decision, it should NOT be an obstacle to rapid and agile development.
- Good maintainability. When Grails controllers are re-factored or removed, it should be obvious what changes need to be made from a security perspective. Changes in controller structure should not result in hours of tracing down security rules.
To get a better understanding of how my plugin addresses those concerns, please read the original post. None of the logic posted in that original article has changed, only the internals of the plugin itself to accommodate for the upgraded SpringSecurity libraries.
Ola Bildtsen :: Production-Grade Acegi Security for Grails | 14-Nov-08 at 8:46 am | Permalink
[...] Note: See an update/upgrade to this post (moving to SpringSecurity) here. [...]
Ola Bildtsen :: Announcing Stark Security Plugin for Grails | 22-Nov-08 at 5:33 pm | Permalink
[...] a cleaned-up (and, hopefully, simplified) edition of the alternative Spring Security plugin previously mentioned here. The main focus of this plugin is to provide a simple yet strong security solution, and it’s [...]