Enable @Secured annotation with Grails Spring Security plugin
How could I protect each method of my classes? Using Spring Security it should be easy, right? After a quick search I realize that the best way is to use @Secured annotation, good! Another issue fixed. But as life isn't fun without problems to solve it didn't work as expected.
The problem started because grails acegi plugin, in version 0.5.2, doesn't support this annotation.Talking about this in grail user mailing list Benjamin Doerr gave me a nice idea: use groovy's invokeMethod to add the support that I needed.
The idea is to use groovy meta magic to add behavior to the classes that have at least one method annotated, we well override the metaClass.invokeMethod of the class we want to enable the annotation. To keep things organized I create a new boot strap file in grail-app/conf/SecurityBootStrap.groovy and all the related code is place in this file.
First off all let's create a closure that can be used to override invokeMethod of any class:
Customizing SpringSecurity to protect each button of a page using Grails Acegi plugin
I'm very happy with grails acegi plugin, aka Spring Security Plugin, but on my newest project I needed a finner grained way to do control access than using simple urls filters and roles.
I wanted a way to control which button, link, action of the current page the user can access. If the user has only read access to a page than the page is shown but edit action isn't, because of this requirement using only roles to grant access isn't enough and could easily became a mess if I create one role per action. Use urls filters won't work because most urls are generated by ZK framework and hence are non predictable.
The solution is fully based on SpringSecurity capabilities and should work on every project that uses it independent of plugins or frameworks that I use. Since spring security plugin does the hard work for us, we just need to create two more classes besides acegi's default user and role and extends UserDetailsService interface. This is based on zk_sample project and is a database implementation of this article by Oleg Zhurakousky.