4

I'm developing a web application with Grails 2.2.0 which does all actions through an implemented API which is calling another backend server. This means, that all things, even the authentication and all related things, are done through the API and the corresponding backend server.

Now I wanted to use the SpringSecurity or Apache Shiro Plugin for authentication and role management, etc. but what I've come across all of them are using the domain classes in connection with the datbase which is not what I intend to do... is there a possiblity to use any of these plugins without the database connection without the need to customize them to a high degree? Or is there another plugin, which I'm not aware of, which could bring the functionallity I need 'hassle-free' ?

I hope the question itself is clear enough, otherwise please don't hesitate to ask me for further/better explaination of my question :)

herom
  • 2,532
  • 29
  • 41

2 Answers2

4

The Spring Security Core plugin defaults to using domain classes and a database, but it's easy to customize the source of the user and role data with a custom UserDetailsService implementation. There's a whole chapter in the docs on this.

I also did a talk on customizing the plugin and included an example of a custom authentication provider. There's a sample app and link to the video of the talk here.

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
  • thanks a lot for the blogpost and the link to your (very interessting!) talk - I've gone through bove now and I'd really wish to try the implementation with the Spring Security Plugin ;) – herom Jan 28 '13 at 10:23
  • I've gone through bove now and I'd really wish to try the implementation with the Spring Security Plugin ;) but, as always, I've got a few questions on this *g* and the first thing I want to know is, if it is necessary, that the authentication of the user credentials (username, password) has to be within my Grails project? I'm just asking because all authentication is done through the backend within my project and I don't want to store the given password longer than necessary... – herom Jan 28 '13 at 10:30
  • Spring Security doesn't care where the data comes from. You just need to create a valid User instance for a custom UserDetailsService or the Authentication directly if creating a custom Provider. – Burt Beckwith Jan 28 '13 at 12:17
  • thanks a lot - I'm currently working on it - seems promising ;) – herom Jan 28 '13 at 14:49
1

The Apache Shiro plugin does not force you to use the domain classes or a database. You can have a Shiro Realm (place it in grails-app/realms) which will delegate the authentication and authorization to the backend server. This should be something like:

class BackendServerRealm {
   def authenticate(authToken) {
       // call backend authentication with credentials from authToken
       def user = backednService.authenticate(authToken.username, authToken.password)
       ...
       new SimpleAccount(user.username, user.password, "BackendServerRealm")
   }
}

Shiro simply provides you with the infrastructure for performing authentication and authorization, but you can plug your own implementation quite easily

Dror Bereznitsky
  • 20,048
  • 3
  • 48
  • 57
  • thanks for the suggestion on Shiro @drorb - but I decided to work with the Spring Security Plugin ;) – herom Jan 29 '13 at 14:04