This is the second in a series of posts making the demo applications that I used for my SpringOne 2GX
presentations available. I'll describe here how to create a Grails application using the Spring Security plugin that authenticates users from LDAP. This is based on topics from the Demystifying Spring Security in Grails talk (you can download the presentation here) but wasn't shown there since I ran out of time.
Also refer to the plugin documentation for other tutorials here.
To create an application that authenticates users from LDAP, run
cd springone2gx_ldap
To make classpath management simpler in Eclipse/STS I create a grails-app/conf/BuildConfig.groovy (in Grails 1.1 apps; in 1.2 this is done for you) with the line
grails.project.plugins.dir='plugins'
to keep plugins in the project root like in 1.0.x but this is optional.
Next install the plugin:
Run the create-auth-domains script to generate the person, authority, and request map domain classes and also grails-app/conf/SecurityConfig.groovy:
The other two scripts that the plugin provides are optional and create CRUD pages (generate-manager) and basic user registration (generate-registration). It's a good idea to run generate-manager; run generate-registration if it's useful to you.
As with the previous post we'll use annotated controllers, so we'll need to configure that, and we can delete the request map class and CRUD pages. The plugin scripts currently asssume you'll be using request maps, so we have to run generate-manager and generate-registration before deleting these.
- delete
grails-app/domain/com/burtbeckwith/springone2gx/Requestmap.groovy - delete
grails-app/controller/RequestmapController.groovy - delete the
grails-app/views/requestmapdirectory and its GSPs - remove the
com.burtbeckwith.springone2gx.Requestmapimport fromgrails-app/controller/RoleController.groovy - in
grails-app/conf/SecurityConfig.groovy, disable requestmaps (useRequestMapDomainClass = false) and enable annotations (useControllerAnnotations = true), and remove therequestMapClassproperty:security {active = true
loginUserDomainClass = "com.burtbeckwith.springone2gx.User"
authorityDomainClass = "com.burtbeckwith.springone2gx.Role"useRequestMapDomainClass = false
useControllerAnnotations = true
}
In Eclipse or STS the steps to configure the classpath are:
- add PLUGIN_DIR/src/groovy as a source folder
- add PLUGIN_DIR/src/java as a source folder
- add PLUGIN_DIR/grails-app/services as a source folder
- add these jars from PLUGIN_DIR/lib
- facebook-java-api-2.0.4.jar
- jcifs-1.2.25.jar
- spring-ldap-1.2.1.jar
- spring-ldap-tiger-1.2.1.jar
- spring-security-core-2.0.4.jar
- spring-security-core-tiger-2.0.4.jar
- spring-security-ntlm-2.0.4.jar
- spring-security-openid-2.0.4.jar
Having done all that, let's create a secured controller to test annotations:
and add the import for the annotation, and annotate at the class level that you must be an admin to access this controller:
@Secured(['ROLE_ADMIN'])
class SecureController {
def index = {
redirect action: foo
}
def foo = {
render 'OK'
}
def bar = {
render 'also OK'
}
}
The controller has a redirect from the default action and a second action so we can test that all methods inherit the class-level annotation.
Next lets configure LDAP. To make this a self-contained demo, we'll use the excellent LDAP server plugin but obviously you'll need to configure the application to connect to your LDAP server.
Install the plugin by running
and add the necessary LDAP configuration option to grails-app/conf/SecurityConfig.groovy (at a minimum useLdap = true)
...
useLdap = true
ldapServer = 'ldap://localhost:10389'
ldapManagerDn = 'uid=admin,ou=system'
ldapManagerPassword = 'secret'
ldapSearchBase = 'dc=d1,dc=example,dc=com'
ldapSearchFilter = '(uid={0})'
ldapGroupSearchBase = 'ou=groups,dc=d1,dc=example,dc=com'
ldapGroupSearchFilter = 'uniquemember={0}'
ldapUsePassword = false
}
The LDAP plugin requires one or more configured LDAP servers in grails-app/conf/Config.groovy and we'll need just one:
d1 {
base = 'dc=d1,dc=example,dc=com'
port = 10389
indexed = ['objectClass', 'uid', 'mail', 'userPassword', 'description']
}
}
The plugin will auto-load .ldif data files with user information, so put these records in grails-app/ldap-servers/d1/data/users.ldif:
dn: ou=groups,dc=d1,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups
dn: cn=USER,ou=groups,dc=d1,dc=example,dc=com
objectclass: groupOfUniqueNames
cn: USER
objectclass: top
uniqueMember: cn=person1,dc=d1,dc=example,dc=com
uniqueMember: cn=person2,dc=d1,dc=example,dc=com
uniqueMember: cn=person3,dc=d1,dc=example,dc=com
dn: cn=ADMIN,ou=groups,dc=d1,dc=example,dc=com
objectclass: groupOfUniqueNames
objectclass: top
cn: ADMIN
uniqueMember: cn=person2,dc=d1,dc=example,dc=com
dn: cn=person1,dc=d1,dc=example,dc=com
objectClass: uidObject
objectClass: person
objectClass: top
objectClass: organizationalPerson
uid: person1
userPassword: {SHA}44rSFJQ9qtHWTBAvrsKd5K/p2j0=
cn: person1
sn: jones
dn: cn=person2,dc=d1,dc=example,dc=com
objectClass: uidObject
objectClass: person
objectClass: top
objectClass: organizationalPerson
uid: person2
userPassword: {SHA}KqYKj/f81HPTIeAUav2eJt85UUc=
cn: person2
sn: jones
dn: cn=person3,dc=d1,dc=example,dc=com
objectClass: uidObject
objectClass: person
objectClass: top
objectClass: organizationalPerson
uid: person3
userPassword: {SHA}ERnP037iRzV+A0oI2ETuol9v0g8=
cn: person3
sn: jones
Spring Security will by default convert LDAP groups ('groupOfUniqueNames') to roles, prefixing the group names with ROLE_, so this data creates three users; person1, person2, and person3 (with passwords 'password1', 'password2', and 'password3' respectively), all with ROLE_USER and person2 with ROLE_ADMIN.
Since LDAP is only managing authentication details we need local data in the database; create the corresponding entries in BootStrap:
class BootStrap {
def init = { servletContext ->
new User(username: 'person1', enabled: true).save()
new User(username: 'person2', enabled: true).save()
new User(username: 'person3', enabled: true).save(flush: true)
}
def destroy = {}
}
Since LDAP is handling authentication, we can (partially) remove password-related fields from User.groovy along with other unused fields:
We need to leave in the passwd property since GrailsDaoImpl expects it but its value isn't important so we'll just hard-code it in the domain class. A custom subclass GrailsDaoImpl or a new implementation of UserDetailsService would remove this requirement.
Start the app using
and open http://localhost:8080/springone2gx_ldap/secure/ in a browser and it should prompt you to login. If you login as person1 or person3 you'll be denied access since those users only have ROLE_USER but person2 has ROLE_ADMIN and will be allowed.
After successful login it'll redirect to http://localhost:8080/springone2gx_ldap/secure/foo - verify that http://localhost:8080/springone2gx_ldap/secure/bar is also secured by going to that in your browser.
You can download a finished application based on this discussion here
