Grails: Is the Spring Security Plugin Too Powerful for Simple Security -


we have several grails applications use shared plugin among other things provides them basic security. we're going adding other types of authentication in future idea of using spring security plugin has come up. however, i'm wondering if it's powerful our basic needs.

currently use grails filters run before url accessed , perform security checks. initial authentication handled looking specific encrypted post variable or cookie (being send closed source application) , after decrypting it, verifying details in our database. if checks out consider user logged in (and have numeric user id encrypted data). of users have same access, except small handful have greater access. these defined in table contains numerical id.

however, we're hoping add ability log directly these grails applications using active directory credentials, credentials provided closed sourced system's ldap server, , in not distance future via cas server.

my initial approach libraries allow shared plugin interface these various systems , simple authentication against them. however, noticed spring security seems have plugins these various types of authentication, speed development. however, module seems complex , geared towards more advanced setups means might spend lot of time setting spring security in order save time ldap, cas, etc. plugins.

any thoughts/comments/etc. highly appreciated.

also, if use spring security plugin, please comment , let me know if following kind of setup possible ...

we'd avoid having create database tables various applications authentication purposes. tell spring security if user passed authentication, authenticated. there no roles, no groups, nothing fancy (except few applications have 1 role/group provides user permissions ... these applications database table needed).

we'd default requiring security , add code suppress allow non authenticated access. idea behind in case developer forgets add spring security markup code controller or action default needing authentication.

also we'd still need keep original methods of authentication via en encrypted post variable send application or encrypted cookies. possible build spring security?

and lastly can spring security plugin store numeric user id retrieved after authentication identify user instead storing actual username used during authentication?

well, have quite lot of questions there within post. best answer ones can recall.

firstly, spring security complex. that's because real security hard. however, spring security , extent grails plugin both configurable , customizable. work advantage, once through high learning curve.

you save lot of headaches , in end time , effort investing in spring security now, since requirements growing , becoming more complex.

i recommend reading spring security documentation, spring security grails documentation , many posts tagged spring-security can. wouldn't bad idea invest in few written books covering spring security.

those high level thoughts/comments.

as far possible spring security (your other questions).

  1. yes, can setup spring security not use type of database tables.
  2. you can write won security authentication filter custom authentication via params/etc.
  3. by default locked down in latest grails spring security plugin, , if use intercepturlmap need alter urls have no security or differing security default of is_authenticated_fully.
  4. using custom userdetailsservice , userdetails can use numeric id or other details want within principal.

to summarize, right effort , understanding of spring security can make address needs. however, it's not short , quick process , require lot of reading.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more