OpenSSO and the Quest for the Holy Grails
By warren on Jun 12, 2009
With apologies to Monty Python Fans....
The astute reader of this blog (that's you Mom!) will know that you can protect Spring applications with the OpenSSO Spring 2 Security provider.
As it turns out, Grails has a plugin that let's you use Spring Security for authentication and authorization. If we marry this plugin with the provider, we ought to be able to use OpenSSO with Grails. Don't ya love it when a plan comes together?
To get started, you will need to download the OpenSSO Grails plugin from here, and install it using the grails install-plugin command.
To give credit where credit is due, the OpenSSO plugin is largely based on the work of the Spring Security Grails plugin. The original authors are T.Yamamoto, Hatian Sun, and Burt Beckwith. My humble contribution is the OpenSSO glue code and the integration of the OpenSSO Spring Security extension. For reasons that I won't go into here, I elected to create a separate version of the plugin specifically for OpenSSO (ping me if you want the details).
I would also suggest downloading this sample Grails application that demonstrates how to use the plugin in a Grails Application.
Yes. But what does it do?
The OpenSSO plugin provides the following functionality to a Grails Application:
Single Sign On (SSO) with OpenSSO:
The plugin delegates logon to OpenSSO. If the user has previously authenticated to OpenSSO, the browser will present a cookie containing the SSO token. Providing the session is still valid, the user will be transparently signed on the Grails application. If the user does not have a token, the plugin redirects them to OpenSSO. After succesfull authentication, the user is then redirected back to the application.
This means that your application is not responsible for authentication. In fact, there are no logon or password screens to maintain as OpenSSO handles it for you. One of the nice benefits of this approach is that the authentication method and strength is factored out of the application. Want to use one time passwords? How about AD? No problem - just configure the authentication chain in OpenSSO. No changes to your application.
URL Policy Enforcement
The plugin provides for enforcement of URL policy using OpenSSO. This works quite nicely with Grails and it's "REST" like structure for controller URLs. So we can (for example), allow one group of users to /list controller items, and another group of users to /update or /create new items. Custom controller methods (beyond the standard CRUD methods) can use the same mechanism.
Note that this largely eliminates the need for the @Secured annotations in Grails code - since the same effect can be implemented using URL policy. This externalizes the authorization into OpenSSO - which is generally a good thing.
Controller Security Methods
The plugin injects several security methods into your controllers to provide access to the security context. Here is sampling of methods available to controllers:
isUserInRole("ROLE_MANAGER") - true if a user belongs to the specified Role isUserLogon() - true if the user is logged on (authenticated) getGrantedAuthorities() - returns an array of Strings representing the Granted Authorities (Spring terminology for role names) that this user posseses.
GSP TagsThe plugin provides access to GSP security tags. These tags can be used in your Grails view to drive the display based on the user's role or authentication status.
<g:ifNotGranted role="ROLE_MANAGERS">You are not a Manager!!! </g:ifNotGranted><g:ifAllGranted role="ROLE_MANAGERS">Congrats. You are a manager!</g:ifAllGranted>Time permitting, I may create a cookbook on how to get this all working with the sample application. Drop me a line if you are interested.
PS. Just what is the wing speed velocity of swallow?