0

So I need some help with the layout/structure of my project. I am making a website and so far I have a working login page which authenticates the user with Apache Shiro against an LDAP server and redirects the user to a splash page. Depending on the permissions the user has, they should/should not be able to view certain things on the splash page.

What I would like to do is create a new ShiroUser from the session information (i.e. the user who just logged in) and assign them some roles. So for example,

def shiroUser = new ShiroUser()
shiroUser.username = session.username
shiroUser.addToRoles(ShiroRole.findByName('ROLE_USER'))
shiroUser.save()

and ROLE_USER would be defined by

def shiroRole = new ShiroRole()
shiroRole.name='ROLE_USER'
shiroRole.save()

Right now I'm just interested in hard coding it and later adapting it to look up in a table and assign roles based off of values in that table.

What I'm wondering is

  • Where do I put this stuff?
  • Do I create a new controller for this?
  • Where do I define the shiroRoles?
  • Is this even smart to do? (Creating a new ShiroUser every time someone logs in)

I've never built a website before, so I'm not sure how I should structure the code or where to put stuff. (I'm using GGTS by the way.) Some direction/advice would be greatly appreciated! I'm using lots of books like Grails in Action, Making Java Groovy, and The Definitive Guide to Grails 2 to help, but most of their examples don't match up with what I would like to do. If there are any tutorials out there that I haven't found, I am interested in seeing them. (I've looked through a lot, but they just have snippets of code like I listed, but don't specify where they actually go!)

icedwater
  • 4,701
  • 3
  • 35
  • 50
mjswartz
  • 715
  • 1
  • 6
  • 19

1 Answers1

0

I did something similar:

https://github.com/vahidhedayati/kchat/blob/master/grails-app/domain/kchat/UserDetails.groovy

but in my case I was creating a user in my app and storing various LDAP information which I later used my own filtering checks in securityFilters to ensure their LDAP group or userID matched my internal pass / fail rule which gave true/false access via securityFilters for a given action/controller call.

Also this https://github.com/vahidhedayati/customshiro is probably a better explaintation of aboves implementation.

These may help you come up with a better design for your needs:

how to implement Shiro Security of Grails in my Project

Secure some, but not all pages in a Grails application with the Shiro plugin

http://coderberry.me/blog/2012/04/26/grails-authentication-with-shiro/.

You should either use SecurityFilters(as seen in some of the above links) i.e:

browseStore(controller:"store", action:"(show|list)") {
before  = {
  // Ignore direct views (e.g. the default main index page).
                if (!controllerName) return true

                // Access control by convention. 
                accessControl() 
}
}

or more tediously in controllers to match backend credinitials 

SecurityUtils.subject.isPermitted("someController:someAction")
or
if (SecurityUtils.subject.isPermitted("printer:query:lp7200")) {
    // Return the current jobs on printer lp7200
}

For further frontend checks in your gsp : how to detect whether a uri is allow by shiro or extract controller name from uri 

<shiro:hasPermission permission="someController:someAction">
     <g:link...>
</shiro:hasPermission>
<shiro:lacksPermission permission="someController:someAction">
     No link
</shiro:lacksPermission>

E2A In my initial methods, the control of user/users department for a given controller action call + even further checks internally to this app environment and appId (this is internal values passed around) are all dynamic and even though SecurityFilters is configured the actual control is passed to my customised check which relies on DB entries to validate. Now this being DB means you can update or add permissions to a given user/department user group without having to update backend Controller/SecurityFilters. I had to put this on gist otherwise it be a chapters worth to answer it

https://gist.github.com/vahidhedayati/71d92f8153ade5d732b3

some other stuff that might be of help: Take a look at arrested plugin. Demo site here which has the compiled output of plug in github.com/vahidhedayati/testingarrested

Community
  • 1
  • 1
V H
  • 8,382
  • 2
  • 28
  • 48
  • So an updated version of my question is this: where should I create a new ShiroUser with the login credentials provided? In the AuthController file after a successful login maybe? If so, how do I allow other controllers to access shiroUser information like shiroUser.username? – mjswartz Jul 20 '15 at 15:51
  • if your following my wild example, then refer to session.user or session.username or as always when ever you are in doubt shiro will return the actual user by running : def userid=SecurityUtils.subject.principal. You will see it used in here https://github.com/vahidhedayati/customshiro/blob/master/grails-app/controllers/customshiro/AuthController.groovy#L97-L117 and this is when successful I store the shiro user into session.user and refer to it as that from there on.. – V H Jul 20 '15 at 16:37