Spring Security (a.k.a. ACEGI)
- has users with roles
- to restrict users on a more fine grained level, use interceptors in your controller
- LDAP support
- integration with CAS single-sign-on
- has a new ACL option for the Grails Plugin
- somewhat 'heavy-handed'
def beforeInterceptor = [action:checkViewableSites, except: "list"]
def checkViewableSites = {
if(!user.viewableSites.contains(Site.get(params.id) )) {
response.sendError 403
return false
}
}
Apache Shiro (a.k.a. JSecurity)
- has support for permissions out of the box
- LDAP support with Shiro plugin
- easy to customize
- Grails Nimble plugin that allows permissions on three levels: users, groups, and roles
- Nimble plugin has an easy to use UI component for adding/modifying users and permissions
- Nimble plugin has support for authentication through Facebook and OpenID out of the box
- profile:edit:1 - this means a person can edit only the Profile object with id 1
- profile:*:* - this means that a person can do anything to any Profile object
Weird comparison - you describe Spring Security but use a trivial Grails interceptor that has nothing to do with Spring Security.
ReplyDeleteI have come from grails world, back to spring (now 3). I used jsecurity. In SecurityFilters i could do this,
ReplyDeletedef controllerList = application.controllerClasses
def controllerRule = "("
controllerList.each {
controllerRule += it.logicalPropertyName + "|"
}
// Remove the last pipe
controllerRule = controllerRule.substring(0, simple.size()-1)
controllerRule +=")"
It was a groovy file and i could dynamically create a role and apply it to each actions(and corresponding urls), but in spring with spring security i am lost. What i see is xml files with hard coded rules like
and some variations that i don't get a bit. I have set up everything else in spring 3 as i got out of the box with grails(with the benefit of not having clumsy grails code and memory issue) like meta main (with sitemesh). Controller and actions (in the form of @Controller and @RequestMapping), but this security thing is really freaking me out. There are things like authorities and groups. Voters(why the hell they are for?) that might be what i needed but i can't get them to my head. What i really wanted in an application is to create new rules via web page and assign the urls of @RequestMapping of normal .htm urls to different rules. At @RequestMapping i would just want to perform CRUD and many more operations, which i want to assign to different roles. And later while the application is operational in client's server if the client requested for new kind of role. E.g One staff that could only read and update(specific url of controllers) some controllers without needing me to edit the xml file to add new ROLE_WHATEVER and assign urls to it and assign them to users. I did not get any answer. So could you direct me in a direction where i could get same level of flexibility either with spring security or Shiro(JSecurity)
@Burt - It's a Grails specific post, goof. Don't worry, Shiro is overall better in every way no matter how it's demonstrated. Bye bye to stupid security problems and the complex bloatware known as "Spring Security". Shiro > Spring Obfuscation
ReplyDeleteWhoever reading this post, I would advice don't use nimble plugin for any new projects, The plugin is dead and not being upgraded any more.
ReplyDeleteI will probably write an updated post now that Nimble is no longer being supported; although it is open source and all of the code is available on GitHub.
Delete