AcegiSecurity Plugin - Customizing with SecurityConfig

Added by Burt Beckwith, last edited by Burt Beckwith on May 14, 2008  (view change)

Much of the Acegi configuration is user-configurable. The configuration has sensible default values, but each application has special needs. Default values are in the plugin's grails-app/conf/DefaultSecurityConfig.groovy file and application-specific values are in grails-app/conf/SecurityConfig.groovy.

Only one property must be specified in SecurityConfig.groovy - 'active' defaults to false, so you have to change it to true to enable the plugin.

Other properties that are most likely to be overridden are the User, Role, and Requestmap class and field names:

Property Default Value Meaning
loginUserDomainClass 'Person' User class name
userName 'username'
User class username field
password
'passwd' User class password field
enabled
'enabled'
User class enabled field
relationalAuthorities
'authorities'
User class role collection field
authorityDomainClass
'Authority'
Role class name
authorityField 'authority' Role class role name field
requestMapClass
'Requestmap' request map class name
requestMapPathField
'url' request map class url pattern field
requestMapConfigAttributeField
'configAttribute' request map class role name list field (comma-delimited)
useRequestMapDomainClass
true if true, searches the database, otherwise uses static configuration

If you want to send emails to newly-registered users, configure these properties:

Property Default Value Meaning
useMail
false if true, enables user registration emails
mailHost
'localhost' mail server url
mailUsername 'user@localhost' mail server username (set to null if auth isn't required)
mailPassword 'sungod' mail server password (set to null if auth isn't required)
mailProtocol 'smtp' JavaMail protocol name
mailFrom 'user@localhost' email 'from' address
mailPort
25 mail server port
javaMailProperties null optional map of custom JavaMail properties
Url attributes:
Property Default Value Meaning
authenticationFailureUrl '/login/authfail?login_error=1' redirect url for failed logins
ajaxAuthenticationFailureUrl /login/authfail?ajax=true' url for failed Ajax logins
defaultTargetUrl
'/'
filterProcessesUrl '/j_spring_security_check' Login form post url, intercepted by Acegi filter
loginFormUrl
'/login/auth' url of login page
ajaxLoginFormUrl
'/login/authAjax' url of Ajax login page
forceHttps
'false' if true, Acegi will redirect login page requests to https
afterLogoutUrl
'/' redirect url after logout
errorPage
'/login/denied'
location of the 403 error page
ajaxErrorPage
'/login/deniedAjax' location of the 403 error page for Ajax requests
ajaxHeader
'X-Requested-With' header name sent by Ajax library, used to detect Ajax
Attributes for rememberMeServices bean (cookie management):
Property Default Value Meaning
cookieName
'grails_remember_me' remember-me cookie name
alwaysRemember
false User class username field
tokenValiditySeconds
1209600 (14 days) max age of the cookie in seconds
parameter '_spring_security_remember_me' Login form remember-me checkbox name
rememberMeKey
'grailsRocks'
To use LDAP, configure these properties:
Property Default Value Meaning
useLdap
false if true, enables LDAP authentication
ldapServer
'ldap://localhost:389' server url
ldapManagerDn 'cn=admin,dc=example,dc=com' manager DN
ldapManagerPassword
'secret' manager password
ldapSearchBase
'dc=example,dc=com' user search name base
ldapPasswordAttributeName 'userPassword' where to look for the user's password in the entry
ldapSearchFilter
'(uid={0})' user search pattern
ldapSearchSubtree
true
ldapGroupRoleAttribute
'cn'

ldapGroupSearchBase
'ou=groups,dc=example,dc=com'
group search string
ldapGroupSearchFilter 'uniquemember={0}' search pattern to determine user groups (converted to Roles)
ldapRetrieveGroupRoles true whether or not to convert LDAP group membership to Roles
ldapRetrieveDatabaseRoles false whether or not to look for assigned roles in the database
To use OpenID, configure these properties:
Property Default Value Meaning
useOpenId false if true, enables OpenID authentication
openIdNonceMaxSeconds 300 max time between auth start and end in seconds
Other miscellaneous attributes:
Property Default Value Meaning
key 'foo' anonymousProcessingFilter key 
userAttribute 'anonymousUser,ROLE_ANONYMOUS' anonymousProcessingFilter
algorithm  'SHA' passwordEncoder Message Digest algorithm
encodeHashAsBase64  false  if true, Base64-encode the hashed password
useLogger  false  enables logging
basicProcessingFilter
false  if true, enable the Basic Auth processing filter
realmName 'Grails Realm' Basic Auth realm name
switchUserProcessingFilter false if true, enable the switchUserProcessingFilter bean
swswitchUserUrl '/j_spring_security_switch_user' switch user filter url
swexitUserUrl '/j_spring_security_exit_user'  
swtargetUrl '/'  
defaultRole 'ROLE_USER' default user's role for user registration

And finally, if you want to store the url <-> role mapping data statically in the config file instead of in the database, set the 'requestMapString' attribute to a string of the form:

requestMapString = """
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT

/login/**=IS_AUTHENTICATED_ANONYMOUSLY
/admin/**=ROLE_USER
/book/test/**=IS_AUTHENTICATED_FULLY
/book/**=ROLE_SUPERVISOR
/**=IS_AUTHENTICATED_ANONYMOUSLY
"""
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.