so need layout/structure of project. making website , far have working login page authenticates user apache shiro against ldap server , redirects user splash page. depending on permissions user has, should/should not able view things on splash page.
what create new shirouser session information (i.e. user logged in) , assign them roles. example,
def shirouser = new shirouser() shirouser.username = session.username shirouser.addtoroles(shirorole.findbyname('role_user')) shirouser.save() and role_user defined by
def shirorole = new shirorole() shirorole.name='role_user' shirorole.save() right i'm interested in hard coding , later adapting in table , assign roles based off of values in table.
what i'm wondering is
- where put stuff?
- do create new controller this?
- where define shiroroles?
- is smart do? (creating new shirouser every time logs in)
i've never built website before, i'm not sure how should structure code or put stuff. (i'm using ggts way.) direction/advice appreciated! i'm using lots of books grails in action, making java groovy, , definitive guide grails 2 help, of examples don't match do. if there tutorials out there haven't found, interested in seeing them. (i've looked through lot, have snippets of code listed, don't specify go!)
i did similar:
https://github.com/vahidhedayati/kchat/blob/master/grails-app/domain/kchat/userdetails.groovy
but in case creating user in app , storing various ldap information later used own filtering checks in securityfilters ensure ldap group or userid matched internal pass / fail rule gave true/false access via securityfilters given action/controller call.
also https://github.com/vahidhedayati/customshiro better explaintation of aboves implementation.
these may come better design needs:
how implement shiro security of grails in project
secure some, not pages in grails application shiro plugin
http://coderberry.me/blog/2012/04/26/grails-authentication-with-shiro/.
you should either use securityfilters(as seen in of above links) i.e:
browsestore(controller:"store", action:"(show|list)") { before = { // ignore direct views (e.g. default main index page). if (!controllername) return true // access control convention. accesscontrol() } } or more tediously in controllers match backend credinitials
securityutils.subject.ispermitted("somecontroller:someaction") or if (securityutils.subject.ispermitted("printer:query:lp7200")) { // return current jobs on printer lp7200 } for further frontend checks in gsp : how detect whether uri allow shiro or extract controller name uri
<shiro:haspermission permission="somecontroller:someaction"> <g:link...> </shiro:haspermission> <shiro:lackspermission permission="somecontroller:someaction"> no link </shiro:lackspermission> e2a in initial methods, control of user/users department given controller action call + further checks internally app environment , appid (this internal values passed around) dynamic , though securityfilters configured actual control passed customised check relies on db entries validate. being db means can update or add permissions given user/department user group without having update backend controller/securityfilters. had put on gist otherwise chapters worth answer it
https://gist.github.com/vahidhedayati/71d92f8153ade5d732b3
some other stuff might of help: take @ arrested plugin. demo site here has compiled output of plug in github.com/vahidhedayati/testingarrested
Comments
Post a Comment