Wednesday, January 6, 2010

Installing the Grails Security Plugin

To setup controller annotation based security, I'm following the plugin installation instructions detailed here.

Starting with:
grails install-plugin acegi

I used "InfinityUser" as my "User" class as User is a reserved word in Oracle. There are still places in the generated code where people/person is used instead of the name you pass.
# grails create-auth-domains InfinityUser Role Requestmap

Then, I generated Person/Role management support:
# grails generate-manager

I modified the SecurityConfig.groovy and deleted the ResourceMap domain, controller and views as directed in the tutorial.

I tested the app by starting it up and modified BootStrap.groovy to avoid retyping Roles and Persons in the GUI. It is very important to make your Roles begin with the word "ROLE"

new Role(authority:"ROLE_LOV_ADMIN",description:"Allows a user to modify the available List Of Values definitions.").addToPeople(new InfinityUser(username:"jdoe", userRealName:"John Doe",passwd:"81fe8bfe87576c3ecb22426f8e57847382917acf",enabled:true,email:"jdoe@gmail.com",emailShow:true,description:"An LOV Admin")).save()
new Role(authority:"ROLE_PAF_EDITOR",description:"Allows a user to modify draft Pre-Acceptance Forms.").addToPeople(new InfinityUser(username:"jsmith", userRealName:"Jane Smith",passwd:"81fe8bfe87576c3ecb22426f8e57847382917acf",enabled:true,email:"jsmith@gmail.com",emailShow:true,description:"A PAF Editor")).save()

Note the 'passwd' is "81fe8bfe87576c3ecb22426f8e57847382917acf". The password is "abcd" encoded by authenticateService.encodePassword(params.passwd) in PersonController.save()

Here is one of the places where the plugin fails if the Role.authority doesn't include 'ROLE'. When I tested the app I noticed there was a bug where all Roles would be removed when saving an InfinityUser. I tracked it down to InfinityUserController.update(). There is a line that removes all Roles:
Role.findAll().each { it.removeFromPeople(person) }
However, they weren't being added back in. This was a bug in addRoles(person)Adding the word 'ROLE' to your role names fixes it. However, there are other places in the plugin that rely on this convention.
    private void addRoles(person) {
for (String key in params.keySet()) {
//println "key="+key+" params.get(key)="+params.get(key)
// modified this line because it causes roles not to be added if they don't contain the word role
//if (key.contains('ROLE') && 'on' == params.get(key)) {
if ('on' == params.get(key)) {
// use Elvis '?' operator to avoid keys with "on" values that aren't Roles
Role.findByAuthority(key)?.addToPeople(person)
}
}
}
-Ben Hidalgo

No comments:

Post a Comment