Ola Bildtsen

I’m pleased to announce the release of version 0.2 of the Stark Security plugin. Not a huge deal, but a few convenience enhancements:

• Enable arbitrary password encoding algorithms, on a DAO provider basis
• Allow for tweaks to authorization mappings in StarkSecurityConfig.groovy without app restart.
• Let user install the plugin but defer configuration (this used to result in exceptions on app startup).

The 0.2.2 bug-fix release solves an issue with custom url mappings not responding to the authorization mappings in controllers. With this fix, any custom mappings in UrlMappings will resolve to the authorization mappings of the eventual controller target.

Documentation (including upgrade instructions, release notes, etc.) is here: http://www.grails.org/Stark+Security+Plugin

As always, comments/questions/suggestions are much appreciated!

I’m happy to announce the release of the new Stark Security plugin to the Grails plugins repository. It’s a cleaned-up (and, hopefully, simplified) edition of the alternative Spring Security plugin previously mentioned here. The main focus of this plugin is to provide a simple yet strong security solution, and it’s different from the standard acegi and jsecurity plugins in that it offers:

• Lock-down or ‘pessimistic’ approach. Instead of leaving the web application open and relying on configured rules to lock down certain areas, the Stark Security plugin locks down everything by default. Developers open up access on a controller-method basis as they are coding the controllers.
• Authorization mappings by convention. The determination of which roles can access which URLs is declared by convention in every controller, right next to the eventual URL end-points (controller methods). This makes for very straight-forward implementation and maintenance of the security rules.

Version 0.1 is available by simply running this from within your Grails project:

grails install-plugin stark-security

Documentation is available at the Stark Security Plugin page at the Grails plugins web site.

In my previous post “Production-Grade Acegi Security for Grails“, readers correctly commented that the underlying technology for the plugin was rather outdated. Some of the assertions in that post were based on an early version of the standard Acegi plugin for Grails, and the underlying security library was an outdated acegi version.

To make a long story short, I have since upgraded the plugin to the latest version of SpringSecurity (2.0.4 at the time of writing). The plugin is available here as part of a demo application (just like in the previous post):

Continue Reading »

Note: See an update/upgrade to this post (moving to SpringSecurity) here.

The standard Acegi plugin for Grails provides a basic implementation of the Acegi security framework for the Grails web stack.  It does a nice job of setting up a basic filter chain that can be rather cumbersome to establish from scratch.  It comes hard-wired with a simple DAO-based authentication provider, and includes the pieces needed to create a rudimentary security scheme for your Grails application.

But the standard plugin is not very flexible, and does not provide alternate means of authentication (such as LDAP).  It is also cumbersome to configure, and it is difficult to manage authorization mappings.  I also didn’t like the “optimistic” authorization scheme (anything not locked down is publicly available).  This article demonstrates a security plugin implementation for Grails that meets a higher level of security requirements.

Continue Reading »