how to implement Shiro Security of Grails in my Project

Question

i m new to Grails and using some Shiro security. I have made a little site with login page and if login successful it redirects me to another loggedin page.

now i want to implement Shiro Security. I have run that plugin and quick start app of Shiro on new Grails Project.

what i want to achieve is that how can i implement my security on my own pages using the Quick Start Files and code. Please guide. a little. which files should i use from that quick start and what changing should i made. ?

waiting for some positive response :)

rdmueller · Accepted Answer · 2013-11-22T19:02:55.020

11

let's first start with a fresh app:

grails create-app ShiroDemo

now install shiroby adding it to the plugins section of BuildConfig.groovy:

plugins { compile ":shiro:1.1.4" }

we need the auth controller and the wildcard-realm:

grails create-auth-controller
grails create-wildcard-realm

now let's create a dummy user with the needed role and permissions in bootstrap.groovy:

import org.apache.shiro.crypto.hash.Sha256Hash
class BootStrap {
    def init = { servletContext ->
        def roleUser = new ShiroRole(name:'USER')
        roleUser.addToPermissions('auth:*')
        roleUser.addToPermissions('controller:action')
        roleUser.save(flush:true, failOnError: true)
        def testUser = new ShiroUser(username:'kermit',passwordHash:new Sha256Hash("password").toHex())
        testUser.addToRoles(roleUser)
        testUser.save(flush:true, failOnError: true)
    }
    def destroy = {
    }
}

Take a look at the role.User.addToPermissions lines. Here you grant permissions to your controllers and actions. If the role is missing a permission, a user will be redirected to the access denied page. You'll find a good description of how to specify permissions on the shiro plugin page: http://www.grails.org/plugin/shiro You'll have to add more permissions for the rest of your application functionality. You can add those permission also directly to the user - sometimes useful for testing or if you don't want to setup a new role for something special.

btw: make sure to use the sha256hash and not the sha1hash which will not work with the current shiro version.

last thing we have to do is create the /conf/SecurityFilters.groovy class:

class SecurityFilters {
    def filters = {
        all(uri: "/**") {
            before = {
                // Ignore direct views (e.g. the default main index page).
                if (!controllerName) return true

                // Access control by convention. 
                accessControl() 
            } 
        } 
    } 
}

This will install access control for all controllers but not direct views (our index page).

Now give it a try and run your project:

grails run-app

hope that helps!

edited Nov 22 '13 at 19:02

answered Apr 29 '11 at 06:51

rdmueller

10,742
10
69
126

Dear Ralf. Ofcourse for that we Need to add User and Role Domain Classes.. can you please edit in the Content for User and Role domain . please. :) and also that should we create the views using command grails generate-views ? – Shah Apr 29 '11 at 07:33
the example is complete and working - the ShiroRole and ShiroUser are generated by the statements above! – rdmueller Apr 29 '11 at 07:39
Dear Ralf You Gudings are Perfect Thnks.. well now i want that i already have User and Role Class and an index page. (Views). i have a controller named UserController and have actions login and logout. Now how can i applyy that security into that code? – Shah Apr 29 '11 at 07:39
If you need to administrate your users, you can create views and controllers for the ShiroUser and ShiroRole through the standard grails mechanisms (generate-all). – rdmueller Apr 29 '11 at 07:40
If you want to user your own AuthController, just take a look at the auto generated one, copy & paste the signIn and signOut code. Unfortunately, the location for the login page seems to be hardcoded. So whenever the system needs to redirect to the login page, it will redirect to /auth/login - you may use the UrlMappings to redirect this to your own controller – rdmueller Apr 29 '11 at 07:45
If you need to use your own User and Role Classes, it makes sense to inherit from the shiro ones (extends ShiroUser). Another way would be to just add the additional properties you need to the ShiroUser and Shiro Role. If both ways do not fit, I guess it is enough to rewrite (seach & replace?) the Realm-class. This is where the ShiroUser and ShiroClass are referenced. – rdmueller Apr 29 '11 at 07:49
@Ralf, I tried to apply your solution, but I get the following error message when I try to log in: `groovy.lang.MissingMethodException: No signature of method: static ShiroUser.findByUsername() is applicable for argument types: (java.lang.String) values: [kermit]`. As I understand, adding the `.findByXYZ()` method is one of grails metaprogramming features. Do you have any idea on what might go wrong here? – mzuba Sep 25 '11 at 11:14
ah, nevermind, I found out my mistake. Turns out it has to do with packages as well. – mzuba Sep 25 '11 at 13:03

how to implement Shiro Security of Grails in my Project

1 Answers1

Linked