Security – authentication

In this blog post I will look into authentication.

XPages has a built-in authentication mechanism. In order to enable authentication I edited the application’s ACL, removing anonymous access and adding the appropriate users / groups.

Grails does not have built-in authentication. The documentation chapter on Authentication describes how to implement your own authentication using interceptors, and continues with a recommendation to use an established security framework.

I decided to try Spring Security, which seems to cover our needs. I haven’t come around to try any other authentication implementations.


When moving to Grails I wanted to be able to secure the application better by adding two-factor authentication (2FA) with the use of Google Authenticator.

Making the application harder to penetrate is logical. I read somewhere that <1% of all breaches have 2FA configured.

Getting started with Spring security core plugin

In order to get a feel for the plugin I started with a new project and followed the current user guide found here:

Here’s the short version of making it work.

Create and configure an application

# Open a terminal, cd into a desired base directory
grails create-app ssctest1 --profile web

Import the new project into IDEA.

Edit build.gradle:

dependencies {
compile 'org.grails.plugins:spring-security-core:4.0.0'

Initialize spring security core from the terminal:

cd ssctest1
grails s2-quickstart User Role

Edit BootStrap.groovy – add user and role initialization to init:

package ssctest1

import groovy.util.logging.Slf4j

class BootStrap {

    def init = { servletContext ->"Bootstrap!")
        def adminRole = Role.findByAuthority('ROLE_ADMIN')
        if (!adminRole) {
            Role.withNewTransaction {
                adminRole = new Role(authority: 'ROLE_ADMIN')
  "Adding role ROLE_ADMIN")
        def adminUser = User.findByUsername('admin')
        if (!adminUser) {
            User.withNewTransaction {
                adminUser = new User(username: 'admin', password: 'password')
  "Adding user admin")
        def adminUserRole = UserRole.get(,
        if (!adminUserRole) {
            UserRole.withNewTransaction {
                adminUserRole = new UserRole(user: adminUser, role: adminRole)
  "adding userrole")
    def destroy = {

You should be able to run the application, and log in with the credentials admin / password.


In the next blog post I will add the code to make 2FA with Google Authenticator work.