Grails - Role based security on Jetty & JBoss

Todays challenge.. Security!

Hardly a challenge at all really, the JSecurity Plugin - Quick Start takes you through everything you need to do and there’s also a AcegiSecurity Plugin, if that’s your bag.

There you go, post done.

Well… unless you want/need to use JEE role based authentication at the application server level. That’s a little more involved.

Unfortunately, this involves a little jiggery pokery in grails itself, but this is only really to have the bundled jetty server include some security configuration. The intention here is after all, having the authentication at the application server level.The task has been covered admirably at the coders corner in the article Setting up Grails to work with JEE role based authentication. This then goes on expand on how to expose the grails project’s web.xml, in order to configure the access.

grails install-templates

And what you need to put in src/templates/web.xml to configure the access is covered in Using Role based security, in much greater detail than I would want to duplicate here.

There really is nothing to add so far, the steps described just work.

The next step took a bit more digging and looking outside of grails oriented guides. The actual deployment environment I have to target is JBoss, but the best description of the security configuration I found was in the article JBoss Role-Based Security.

This got me 90% there. To bend it to grails, I had to add a little bit more to the jboss-web.xml file I added for deploying to JBoss:

<context-root>/my_app</context-root> 
<security-domain>java:/jaas/my_app_policy</security-domain>

Obviously making sure the domain matched what I had put in the JBoss configuration.I also happened to include two properties files for roles and users in src\java so they were deployed with the application and reference these in the JBoss configuration file login-config.xml:

<application-policy name ="my_app_policy"> 
  <authentication> 
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> 
      <module-option name="usersProperties">my_app-users.properties</module-option> 
      <module-option name="rolesProperties">my_app-roles.properties</module-option> 
    </login-module> 
  </authentication> 
</application-policy>

This has worked for me locally, but as I describe it, I feel that it is a bit odd having a dependency between the server configuration and specific files in a deployed application; even though their absence doesn’t seem to cause a problem. I think I might move those into the folder along with login-config.xml

I also believe that these could be just as easily be the default files JBoss expects by not specifying the above module-option elements.

All this done…

It didn’t work!

As soon as I tried to access a protected resource, I got a 404 error trying to locate the authentication controller actions I have in my application!

I couldn’t find a clear reference to this problem, but the following entry on the struts issues dashboard -

Action’s can’t be used for web.xml declarative security URL’s certainly describes the problem and also provided me with a fudge solution.

I edited my web.xml to point at a jsp:

<login-config> 
  <auth-method>FORM</auth-method> 
  <form-login-config> 
    <form-login-page>/login_redirect.jsp</form-login-page> 
    <form-error-page>/login_redirect.jsp?success=false</form-error-page> 
  </form-login-config> 
</login-config>

and added a login_redirect.jsp:

<% 
  if ("false".equals(request.getParameter("success"))) { 
    response.sendRedirect( request.getContextPath() + "/auth/failed" ); 
  } else { 
    response.sendRedirect( request.getContextPath() + "/auth/login" ); 
  } 
%>

Now it works!

comments powered by Disqus