While creating a new application from scratch it’s a good idea to centralize the security mapping for your application to a single place. By security mapping we mean the functionality to secure your application URL’s against the unwanted access. In Grails, with spring-security-core plugin, you can do it in the following way.

First, you need to tell the Grails that you’ll be using centralize mapping in the first place. In order to do that, you need to add the following code to the Config.groovy:

grails.plugin.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap

This line would tell Grails that you’ll be using intercept url mapping for securing your application.

Second, you need to define the mapping in Config.groovy. Here’s a sample mapping:

com.jft.prashant.sec.role.admin = 'ROLE_ADMIN'
com.jft.prashant.sec.role.user = 'ROLE_USER'

grails.plugin.springsecurity.interceptUrlMap = [
        '/static/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/plugins/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/skin/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/j_spring_security_check': ['IS_AUTHENTICATED_ANONYMOUSLY'],

        '/user/index': ['IS_AUTHENTICATED_FULLY'],
        '/user/**': [com.jft.prashant.sec.role.admin],
        '/role/index': ['IS_AUTHENTICATED_FULLY'],
        '/role/**': [com.jft.prashant.sec.role.admin],
        '/userRole/**': ["hasAnyRole('${com.jft.prashant.sec.role.admin}')"],
        '/*': ['IS_AUTHENTICATED_FULLY']

If you are wondering about IS_AUTHENTICATED_ANONYMOUSLY and IS_AUTHENTICATED_FULLY, first one is used to allow everyone. If you map a url with second one, you need to login to the application in order to access it.

Few points you need to keep in mind here:

  1. More generalized mapping should be provided towards the end, in other word, for instance, we want to allow only admin to create or update the users and want other users to see the list of the users only, so, we are providing mapping for ‘/user/index’ (which is specific, index action of user controller) before ‘/user/**’ (which is generalized, every action of user controller).
  2. Reason for this behavior is, spring-security iterates over the mapping and applies whatever comes first. And that’s the reason I have kept

    at the last.

There are also more options available for adding security information to your application:

  1. You can also go for the annotations which involves annotating each and every controller and/or actions for security.
  2. You can mix and match annotations with url intercept mapping like I have described above using staticRules.
  3. Or, you can provide security information dynamically using SecurityConfigType.Requestmap. This involves saving the security mapping to the database.

More on other methods later. This pretty much sums everything up. If you wanna see the sample application, you can fork it from here. Fire it up to see it in action. Hope, it helps. 🙂