Ever wanted to have several Grails controllers automatically secured – just by name?

I had to make a subset of my Grails 1.2.2 application controllers only available to a certain group of people. A few controllers made actions on the application possible which only Administrators were allowed to do.

Acegi what?

So, I think everybody recognizes the ever so popular Acegi way (using Spring Security) of securing things with a single com.app.controller.HelloController in SecurityConfig.groovy:

security {
	active = true

	useRequestMapDomainClass = false
	requestMapString = """
		CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		PATTERN_TYPE_APACHE_ANT

		/hello/**=ROLE_USER
		/**=IS_AUTHENTICATED_ANONYMOUSLY
	"""
}

This way a login-screen will appear when a user tries to open the HelloController on /hello since ROLE_USER is required. Well, not really high-tech yet – a basic example you could find in the Acegi plugin’s documentation as well.

More…more controllers!

Let’s introduce several other controllers next to the com.app.controller.HelloController. Notice I myself made up the package name com.app.controller – just a habit to seperate Domain classes, Controllers and Services into com.app.domain, com.app.controller and com.app.services.

Continue reading “Separating and securing Grails controllers”