Setting up Grails to work with JEE role based authentication

Installing templates into a Grails application

In order to get access to web.xml in a Grails application we need to install the templates that are used during the build process to generate the live web.xml, to do this move into your project home directory and type:

Now take a look in the src directory, and there will be a templates folder created by the last command. Underneath the templates folder, there is a war folder; it is within this folder that the web.xml is created. This web.xml can be edited by hand and changes to it will be saved.

How to use JEE role based security with Grails

If you are unfamiliar with role based security please read Using Role based security. There are no hard and fast rules for configuring JEE roles, but there are two easy options that I use and will briefly discuss both below. Note that a mixture of the two methods below will probably produce the best results.

Securing at the controller level

This involves having controllers specifically for secure content, sometimes this makes sense, when for example one may wish to maintain a database table using the scaffolding controller and view, but have a separate view for other users. This is straightforwards, and just involves creating a url-pattern that maps everything for the controller. For example if the controller was called SecuredController:

<url-pattern>/secured/*</url-pattern>

Securing on and action by action basis

Although the above solution is generally better when there's a large number of operations to secure, if only one or two items need to be secured, then adding each action to be secured separately may be better. To do this a url-pattern is added for each action. One limitation of this is that is easy to miss an operation to be secured, and therefore potentially leave your site more open than anticipated.

<url-pattern>/secured/save</url-pattern>

Test, test and better test your changes

With security you need to test any changes that are made, it's so easy to leave something open, and on a popular site this may well be exploited quickly. Make a test plan that ensures any pages you intend to be secured are properly secured. Whenever any changes are made to your security model (eg web.xml, realm, new pages / controllers), run all these tests. This will avoid problems later.