SpringOne 2GX 2011

Chicago, October 25-28, 2011

« Clustering Grails  |  Main  |  Why I’ll never use Groovy on Grails »

Hierarchical Roles in the Grails Spring Security Plugin

Posted by: Burt Beckwith on 12/21/2009

I was looking at a non-Grails Spring Security application that used hierarchical roles and wondered what it'd take to get this working with the Grails plugin. Turns out it's pretty simple.

Non-hierarchical roles are checked by a RoleVoter but to use hierarchical roles you need a RoleHierarchyVoter. Replacing the roleVoter bean in resources.groovy is all it takes.

RoleHierarchyVoter needs an implementation of RoleHierarchy and the default implementation in Spring Security is RoleHierarchyImpl which parses a String defining the hierarchy. For example, this configuration defines the hierarchy ROLE_SUPERADMIN > ROLE_ADMIN > ROLE_USER:

import org.springframework.security.userdetails.hierarchicalroles.RoleHierarchyImpl
import org.springframework.security.vote.RoleHierarchyVoter

beans = {

   roleHierarchy(RoleHierarchyImpl) {
      hierarchy = '''
         ROLE_SUPERADMIN > ROLE_ADMIN
         ROLE_ADMIN > ROLE_USER
      '''
   }

   roleVoter(RoleHierarchyVoter, ref('roleHierarchy'))
}

You can download a small demo app here that shows how it works. Unpack the app and run grails run-app, and then open http://localhost:8080/hierarchical/secure/. The app creates three users in BootStrap:

Username Password Role
user user ROLE_USER
admin admin ROLE_ADMIN
superadmin superadmin ROLE_SUPERADMIN

so you can login as each user to test the secured actions:

class SecureController {

   def index = {}

   @Secured(['ROLE_USER'])
   def user = {
   ...
   }

   @Secured(['ROLE_ADMIN'])
   def admin = {
   ...
   }

   @Secured(['ROLE_SUPERADMIN'])
   def superadmin = {
   ...
   }
}

Logout in between by navigating to http://localhost:8080/hierarchical/logout. Although only one role is defined for each action, as the super admin you can access all three, as the admin you can access admin and user, and as the user you can only access user.

I'll make this part of the plugin at some point to make configuration simpler, but for now it's not much work to do it explicitly.


Add To DZone

Burt Beckwith's complete blog can be found at: http://burtbeckwith.com/blog/

About Burt Beckwith

Burt Beckwith

Burt Beckwith is a Java and Groovy developer with over ten years of experience in a variety of industries including biotech, travel, e-learning, social networking, and financial services. For the past three years he's been working with Grails and Groovy full-time. Along the way he's created over fifteen Grails plugins and made significant contributions to several others. He was the technical editor for Grails in Action.

More About Burt »

NFJS, the Magazine

NFJS, the Magazine
December Issue Now Available

  • BDD and REST

    by Brian Sletten

  • Mocks and Stubs in Groovy Tests

    by Kenneth Kousen

  • Algorithms for Better Text Search Results

    by John Griffin

  • Knowns and Unknowns of Scrum and Agile

    by Brian Tarbox
Learn More »




© 2011 No Fluff, Just Stuff TM and SpringSource, a division of VMware. All rights reserved. Java is a registered trademark of Oracle.