Security – authentication


In this blog post I will look into authentication.

XPages has a built-in authentication mechanism. In order to enable authentication I edited the application’s ACL, removing anonymous access and adding the appropriate users / groups.

Grails does not have built-in authentication. The documentation chapter on Authentication describes how to implement your own authentication using interceptors, and continues with a recommendation to use an established security framework.

I decided to try Spring Security, which seems to cover our needs. I haven’t come around to try any other authentication implementations.

2FA

When moving to Grails I wanted to be able to secure the application better by adding two-factor authentication (2FA) with the use of Google Authenticator.

Making the application harder to penetrate is logical. I read somewhere that <1% of all breaches have 2FA configured.

Getting started with Spring security core plugin

In order to get a feel for the plugin I started with a new project and followed the current user guide found here: https://grails-plugins.github.io/grails-spring-security-core/

Here’s the short version of making it work.

Create and configure an application

# Open a terminal, cd into a desired base directory
grails create-app ssctest1 --profile web

Import the new project into IDEA.

Edit build.gradle:

dependencies {
..
compile 'org.grails.plugins:spring-security-core:4.0.0'
..
}

Initialize spring security core from the terminal:

cd ssctest1
grails s2-quickstart no.prpr.security User Role

Edit BootStrap.groovy – add user and role initialization to init:

package ssctest1

import groovy.util.logging.Slf4j
import no.prpr.security.Role
import no.prpr.security.User
import no.prpr.security.UserRole

@Slf4j
class BootStrap {

    def init = { servletContext ->
        log.info("Bootstrap!")
        def adminRole = Role.findByAuthority('ROLE_ADMIN')
        if (!adminRole) {
            Role.withNewTransaction {
                adminRole = new Role(authority: 'ROLE_ADMIN')
                adminRole.save()
            }
            log.info("Adding role ROLE_ADMIN")
        }
        def adminUser = User.findByUsername('admin')
        if (!adminUser) {
            User.withNewTransaction {
                adminUser = new User(username: 'admin', password: 'password')
                adminUser.save()
            }
            log.info("Adding user admin")
        }
        def adminUserRole = UserRole.get(adminUser.id, adminRole.id)
        if (!adminUserRole) {
            UserRole.withNewTransaction {
                adminUserRole = new UserRole(user: adminUser, role: adminRole)
                adminUserRole.save()
            }
            log.info("adding userrole")
        }
    }
    def destroy = {
    }
}

You should be able to run the application, and log in with the credentials admin / password.

Next

In the next blog post I will add the code to make 2FA with Google Authenticator work.