ACEGI (Spring) Security, HTTPS, and Grails

{ Dan Stieglitz // Groovy/Grails // May 30, 2008 }

I had a requirement in a recent project to have all logins handled by HTTPS, and I wanted to implement this using Grails 1.0.2 with the acegi-plugin. There seemed to be a number of issues with the plugin, specifically with some package names and configuring the ACEGI channel selectors. Of note are that the package names have changed in the ACEGI-Spring migration, for example, packages org.acegisecurity.util... and org.acegisecurity.securechannel... have become org.springframework.security.util and org.springframework.security.securechannel, respectively. I didn't find this reflected in the online documentation for either Spring Security or Grails, at least not yet.

Steps to Configure HTTPS Channels

First, install the acegi plugin. Next, configure the channel filter in the web.xml file. This requires us to install the grails templates which will contain the web.xml template grails uses to produce the deployed web.xml.

grails install-templates

will do the trick. Navigate to the src/templates/war and add the filter to the web.xml template there:

    
  		Acegi Channel Processing Filter
  		org.springframework.security.util.FilterToBeanProxy
  		
    			targetClass
    			org.springframework.security.securechannel.ChannelProcessingFilter
  		
	
    
    
  		Acegi Channel Processing Filter
  		/*

Now, when we build our application, this filter will be configured in our deployed web.xml. The final step is to set up the spring beans, and this is done using the Grails DSL for configuring Spring beans (the SpringBuilder). A great reference on the SpringBuilder can be found on the Grails documentation online (http://grails.org/Spring+Bean+Builder). The code should be put into yout grails-app/conf/spring/resource.groovy file (the entire file is reproduced here):

import org.springframework.security.securechannel.ChannelProcessingFilter
import org.springframework.security.securechannel.ChannelDecisionManagerImpl
import org.springframework.security.securechannel.SecureChannelProcessor
import org.springframework.security.securechannel.InsecureChannelProcessor

beans = {
	secureChannelProcessor(SecureChannelProcessor)
	insecureChannelProcessor(InsecureChannelProcessor)

	channelDecisionManager(ChannelDecisionManagerImpl) {
		channelProcessors = [secureChannelProcessor, insecureChannelProcessor]
	}

	channelProcessingFilter(ChannelProcessingFilter) {
		channelDecisionManager=channelDecisionManager
		filterInvocationDefinitionSource='''
			  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			  PATTERN_TYPE_APACHE_ANT
			  /login/**=REQUIRES_SECURE_CHANNEL
		      '''
	}
}

13 comments

Nice post - this helped me out loads with a http/https mixed app.

One question though - I can get this to work fine under Tomcat when I deploy my app by enabeling the https listner on port 443…

But how do you get jetty to listen on two ports (8080 and 8443 or 80 and 443) in dev mode?

It seems in can run http via run-app or https via run-app-https, but I want it to listen with both.

Martin

Posted by on 11/24 at 08:47 AM

Hey martin, have u found a way for jetty to listen to both 8080 and 8443 ports at the same time?

Posted by Lydon on 03/30 at 01:20 AM

Thanks for the mention, This shoes that you put a great deal of care to your work. Thanks for the links and all informative stuff you provided.

Posted by debt on 08/26 at 06:01 AM

hey its a well written post and being a professional i really like this actually i was searching this kind of 646-003 information and now found it here on this nice site you have done a nice work and i also checked the link its very useful.. these days i am busy in my professional 642-972 classes and will come after that for more discussion..

Posted by 642-181 on 09/12 at 02:11 AM

Thank you so much for your help and time.
Frank @ Secured Loans

Posted by Debt Advice on 10/13 at 07:42 AM

These are separate issues...1 yes you can configure pop3 in Yahoo! as long as you are paying for it and Hotmail will definitely let you. As to the port issue, use a configurable firewall like TinyFirewall and you’re off and running.

Posted by Twitter Backgrounds on 01/02 at 03:55 AM

It’s not so easy to bring a good enough written essays, especially if you are intent. I consult you to set http://www.qualityessay.com” ]buy an essay[/url] and to be spare from discredit that your work will be done by paper writing services

Posted by Ellazo26 on 01/25 at 04:41 PM

If decide to write the written essays, you should get know that that takes a long period of time! Some persons fail their written term paper, because they do not have writing skills! This is bitter, but the buy research paper service would help these people any time they need it.

Posted by ChloeYH32 on 02/12 at 03:49 PM

Thanks a lot for a kind of supreme knowledge connecting with this topic ! You should make your own buy dissertation service, I opine. Just because different thesis service do such things and you can accomplish good thesis abstract as well.

Posted by uo29CATHERIN on 02/12 at 03:49 PM

There are lots different path ways to get information close to this good topic . Thus, I advice to buy an essay and custom writing or written essays opting for the really good writing services.

Posted by Niciyu32 on 02/13 at 11:55 AM

That is workable to order pre written essays and buy custom essay papers at the essay writing service about this post.

Posted by eTLisa on 02/14 at 07:31 PM

To be successful means to get the A+ level and for that, people have to demonstrate the good quality custom written essay. But is that possible to write it not using an aid of the web writing service? Sure, that’s doable, but that will be easier to buy research paper about this good post online.

Posted by Alexa21Cc on 02/15 at 12:26 AM

You can configure pop3 in Yahoo! as long as you are paying for it and hotmail will definitely let you.

Posted by Facebook Layouts on 02/23 at 02:12 AM

Add your own comment below.