跳至主要内容

Create a restful application with AngularJS and Grails(3): Authentication and Authorization


Authentication and Authorization

Grails provides a series of built-in authentication solutions, such as Form, Basic, Digest etc. And there are several additional plugins which provides CAS, OAuth authentication, please search them from the official Grails.org website.
For API centric applications, Basic is the simplest authentication.

Configure Basic authentication

By default, Form based authentication is enabled, it is easy to configure Basic authentication in Grails application.
Includes the following line in the Config.groovy file.
grails.plugin.springsecurity.useBasicAuth = true
Basic authentication includes a specific basicExceptionTranslationFilter, so the general-purpose exceptionTranslationFilter can be excluded.
grails.plugin.springsecurity.filterChain.chainMap = [
 '/api/**':'JOINED_FILTERS,-exceptionTranslationFilter',
 '/**':JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
 ]
All resources matched /api/** will be protected and require authentication.
Try access the a protected resource, for example, http://localhost:8080/angularjs-grails-sample/api/books.json. There is a browser prompt popup for requiring username and password.

Stateless API

By default, Grails will create session to store the client principle, it is useful for a web application. For a REST API, it is usually designated as stateless.
Spring security provides a stateless option in http element. In Grails, you could have to configure it yourself.
In the resources.groovy file, declare a SecurityContextRepository andSecurityContextPersistenceFilter bean.
statelessSecurityContextRepository(NullSecurityContextRepository) {}

statelessSecurityContextPersistenceFilter(SecurityContextPersistenceFilter, ref('statelessSecurityContextRepository')) { }
The SecurityContextPersistenceFilter is responsible for session creation, and it delegates the real work to SecurityContextRepository bean.NullSecurityContextRepository is an implementation of SecurityContextRepository which does not create the user data in HttpSession, it is suitable for stateless case.
Apply it in Config.groovy.
grails.plugin.springsecurity.filterChain.chainMap = [
 '/api/**': 'statelessSecurityContextPersistenceFilter,logoutFilter,authenticationProcessingFilter,customBasicAuthenticationFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter,basicExceptionTranslationFilter,filterInvocationInterceptor',
 ]
In the above, all filters used for /api/ url pattern are listed one by one.
There are some options for the configuration of the filters.
  • If the value includes a JOINED_FILTERS, it is indicates it will includes all default filters. You can append -filterName to exclude the filter from the default filter list. For example,
   JOINED_FILTERS,-basicExceptionTranslationFilter
It will include all filters but excludes basicExceptionTranslationFilter.
  • If the value is none, security will skip the url pattern.
  • You can specify the filters one by one.
Note: The exclusion can be used only with JOINED_FILTERS option.
I also create a custom BasicAuthenticationEntryPoint.
public class CustomBasicAuthenticationEntryPoint extends
  BasicAuthenticationEntryPoint {

 private static Logger log = LoggerFactory
   .getLogger(CustomBasicAuthenticationEntryPoint.class);

 @Override
 public void commence(HttpServletRequest request,
   HttpServletResponse response, AuthenticationException authException)
   throws IOException, ServletException {
  // TODO Auto-generated method stub
  // super.commence(request, response, authException);
  log.debug("call @ commence...");
  response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
 }

}
The purpose is simple, it maps all authentication and authorization exception to 401 status. This will simplify the frontend AngluarJS processing work.
Configure this AuthenticationEntryPoint in resources.groovy.
customBasicAuthenticationEntryPoint(CustomBasicAuthenticationEntryPoint) {
 realmName = SpringSecurityUtils.securityConfig.basic.realmName // 'Grails Realm'
}

customBasicAuthenticationFilter(BasicAuthenticationFilter, ref('authenticationManager'), ref('customBasicAuthenticationEntryPoint')) {
 authenticationDetailsSource = ref('authenticationDetailsSource')
 rememberMeServices = ref('rememberMeServices')
 credentialsCharset = SpringSecurityUtils.securityConfig.basic.credentialsCharset // 'UTF-8'
}

basicAccessDeniedHandler(AccessDeniedHandlerImpl)

basicRequestCache(NullRequestCache)

basicExceptionTranslationFilter(ExceptionTranslationFilter, ref('customBasicAuthenticationEntryPoint'), ref('basicRequestCache')) {
 accessDeniedHandler = ref('basicAccessDeniedHandler')
 authenticationTrustResolver = ref('authenticationTrustResolver')
 throwableAnalyzer = ref('throwableAnalyzer')
}

Sample codes

评论

此博客中的热门博文

Create a restful application with AngularJS and Zend 2 framework

Create a restful application with AngularJS and Zend 2 framework This example application uses AngularJS/Bootstrap as frontend and Zend2 Framework as REST API producer. The backend code This backend code reuses the database scheme and codes of the official Zend Tutorial, and REST API support is also from the Zend community. Getting Started with Zend Framework 2 Getting Started with REST and Zend Framework 2 Zend2 provides a   AbstractRestfulController   for RESR API producing. class AlbumController extends AbstractRestfulController { public function getList() { $results = $this->getAlbumTable()->fetchAll(); $data = array(); foreach ($results as $result) { $data[] = $result; } return new JsonModel(array( 'data' => $data) ); } public function get($id) { $album = $this->getAlbumTable()->getAlbum($id); return new JsonModel(array("data" =...

JPA 2.1: Attribute Converter

JPA 2.1: Attribute Converter If you are using Hibernate, and want a customized type is supported in your Entity class, you could have to write a custom Hibernate Type. JPA 2.1 brings a new feature named attribute converter, which can help you convert your custom class type to JPA supported type. Create an Entity Reuse the   Post   entity class as example. @Entity @Table(name="POSTS") public class Post implements Serializable { private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.AUTO) @Column(name="ID") private Long id; @Column(name="TITLE") private String title; @Column(name="BODY") private String body; @Temporal(javax.persistence.TemporalType.DATE) @Column(name="CREATED") private Date created; @Column(name="TAGS") private List<String> tags=new ArrayList<>(); } Create an attribute convert...

Auditing with Hibernate Envers

Auditing with Hibernate Envers The approaches provided in JPA lifecyle hook and Spring Data auditing only track the creation and last modification info of an Entity, but all the modification history are not tracked. Hibernate Envers fills the blank table. Since Hibernate 3.5, Envers is part of Hibernate core project. Configuration Configure Hibernate Envers in your project is very simple, just need to add   hibernate-envers   as project dependency. <dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate-envers</artifactId> </dependency> Done. No need extra Event listeners configuration as the early version. Basic Usage Hibernate Envers provides a simple   @Audited   annotation, you can place it on an Entity class or property of an Entity. @Audited private String description; If   @Audited   annotation is placed on a property, this property can be tracked. @Entity @Audited public clas...