In this blog post I will look into authentication.
XPages has a built-in authentication mechanism. In order to enable authentication I edited the application’s ACL, removing anonymous access and adding the appropriate users / groups.
Grails does not have built-in authentication. The documentation chapter on Authentication describes how to implement your own authentication using interceptors, and continues with a recommendation to use an established security framework.
I decided to try Spring Security, which seems to cover our needs. I haven’t come around to try any other authentication implementations.
2FA
When moving to Grails I wanted to be able to secure the application better by adding two-factor authentication (2FA) with the use of Google Authenticator.
Making the application harder to penetrate is logical. I read somewhere that <1% of all breaches have 2FA configured.
Getting started with Spring security core plugin
In order to get a feel for the plugin I started with a new project and followed the current user guide found here: https://grails-plugins.github.io/grails-spring-security-core/
Here’s the short version of making it work.
Create and configure an application
# Open a terminal, cd into a desired base directory
grails create-app ssctest1 --profile webImport the new project into IDEA.
Edit build.gradle:
dependencies {
..
compile 'org.grails.plugins:spring-security-core:4.0.0'
..
}Initialize spring security core from the terminal:
cd ssctest1
grails s2-quickstart no.prpr.security User RoleEdit BootStrap.groovy – add user and role initialization to init:
package ssctest1
import groovy.util.logging.Slf4j
import no.prpr.security.Role
import no.prpr.security.User
import no.prpr.security.UserRole
@Slf4j
class BootStrap {
def init = { servletContext ->
log.info("Bootstrap!")
def adminRole = Role.findByAuthority('ROLE_ADMIN')
if (!adminRole) {
Role.withNewTransaction {
adminRole = new Role(authority: 'ROLE_ADMIN')
adminRole.save()
}
log.info("Adding role ROLE_ADMIN")
}
def adminUser = User.findByUsername('admin')
if (!adminUser) {
User.withNewTransaction {
adminUser = new User(username: 'admin', password: 'password')
adminUser.save()
}
log.info("Adding user admin")
}
def adminUserRole = UserRole.get(adminUser.id, adminRole.id)
if (!adminUserRole) {
UserRole.withNewTransaction {
adminUserRole = new UserRole(user: adminUser, role: adminRole)
adminUserRole.save()
}
log.info("adding userrole")
}
}
def destroy = {
}
}
You should be able to run the application, and log in with the credentials admin / password.
Next
In the next blog post I will add the code to make 2FA with Google Authenticator work.