Re: I need clarification and help with Shiro Grails plugin

Mon, 07 Dec 2009 06:32:20 -0800 

> I have many Grails books but most of them discuss JSecurity plugin and each
> book cover it differently.

Examples that cover the JSecurity plugin should apply to the Shiro
plugin too. The most obvious difference is in the package names for
the JSecurity/Shiro classes.

> Our system uses the usual suspects: User, Role, Permission,
> UserPermissionRel
> I have to secure both, the controller and parts of GSP
> I created the Realm file by following the source code of some Grails books.
> Now the security filter, would you please tell me what should be in it?
> Why we need security filter in the first place?

The Shiro plugin integrates with standard Grails filters to protect
your application's pages. If you're not sure what Grails filters are,
please read the Grails user guide.

For Shiro, you need to implement "before" interceptors like so:

  class SecurityFilters {
      def filters = {
          all(controller: "*", action: "*") {
              before = {
                  accessControl {
                      role("Administrator")
                  }
              }
          }
      }
  }

The only bit specific to Shiro is the "accessControl" method. The
above will ensure that only someone with the "Administrator" role can
access the application's pages (since the filter applies to all
controllers and actions).

If you have fairly simple requirements, a better approach is to follow
the quick-start guide on the plugin page:

  http://www.grails.org/plugin/shiro

If you do follow those instructions, be sure to clear your script
cache first (~/.grails/<grailsVersion>/scriptCache). Once you have
installed the new realm and SecurityFilters class, you can open up
your application by assigning permission to users or roles.

Say you have a "book" controller and a user called "dilbert". You can
give dilbert access to the book controller by assigning the
appropriate permission:

  def user = SecUser.findByUsername("dilbert")
  user.addToPermissions("book")
  user.save()

The above will allow dilbert to access all book actions. You can limit
the actions by specifying a slightly different permission:

  user.addToPermissions("book:list,show")

> Should my controllers implements one of Shiro interfaces?

No.

Hope that helps,

Peter

Reply via email to