Grails Authentication (Login etc)

Hiya,

I put together a screencast that covers getting started with the Spring-Security-Core plugin (and resources plugin) with Grails 2.0 if you decide to go that path.

http://www.bobbywarner.com/2012/01/05/jump-into-grails-2-0/

There also is the Shiro plugin (http://grails.org/plugin/shiro) which is a good alternative if you decide you don't want to use Spring Security for some reason.


Hope that helps!
Bobby

I recently switched from shiro to spring-security. Shiro is great for simple use cases, but the simplicity breaks down when you start talking about ACLs, advanced administration of users, or integrating with other auth sources (in my experience). 

Dear Nathan,

I differ with your statement "Shiro is great for simple use cases, but the simplicity breaks down when you start talking about ACLs, advanced administration of users, or integrating with other auth sources (in my experience)". Please read below or check this disscusion http://grails.1312388.n4.nabble.com/Security-plugins-td4275329.html

Shiro is most definitely used in very large enterprise installations. In fact, Shiro is likely to be _better_ suited for many Enterprise environments for a few reasons:

- Shiro was built from the ground up to work in _any_ JVM environment - with or without Spring (although it excels in Spring apps because most of the Shiro devs use Spring and/or Grails). In real enterprise environments, the deployment technology changes enough - JEE, Spring, various MVC frameworks, ESBs, maybe some newer stuff like Groovy or Scala with Akka. Shiro was built to work in _any_ of these environments, even if Spring wasn't being used. Because of this heterogeneous nature, Shiro can be used anywhere in the enterprise where the JVM is used - not just where Spring might exist. This has lasting/eduring appeal for enterprises.

- Because of Shiro's native enterprise session support, which can enable large scale session clustering independent of any servlet container, larger enterprise apps that need native/distributed session clustering get this in a very easy manner. (Deploy to Jetting in testing, Tomcat or JBoss in production - all without having to change your session clustering setup). Spring does not address this feature at all IIUC.

- Shiro claims a wider breadth of features in that it does not stop at authentication and authorization - it also simplifies cryptography/data protection in addition to enterprise session management. Spring Security does not address this either that I'm aware of.

Because of its wider scope, Shiro is often a better choice for an enterprise because of the quantity of use cases it supports. Spring Security may reach deeper in some areas, but that gap is being eliminated quite quickly.

Finally, to lend credence to its 'enterpriseyness', Shiro is used in quite a few U.S. government and military projects, Wall Street investment banks, major U.S. airlines, ecommerce sites, travel booking sites, and at least one of the major social networks and many many more small to mid-size projects. To be sure, all of these need very high levels of security, and a solution that scales extremely well, and Shiro fits the bill wonderfully.

At the end of the day, both frameworks are suitable and you'll find great support in either community with commercial support options for both should you need it. So I'd say choose based on your mental model: which of the two APIs makes more sense to you? Which of the two addresses your specific needs best?

Cheers,

--
Les Hazlewood
Apache Shiro PMC Chair
CTO, Katasoft | http://www.katasoft.com

On 18 Apr 2012, at 01:03, Joel Gerard wrote:

> Hiya,
>
> I've been looking for a Grails lib that will provide login functionality for a website. Seems to be a few tuts out there that are building things from scratch, which doesn't appeal. These two libs seem promising:
> • http://grails.org/plugin/spring-security-core
> • http://grails.org/plugin/authentication
> I'm inclined towards using the spring libs, but figure there must be a reason Marc Palmer wrote the second. Any thoughts on the above?

Hi Joel,

I wrote Authentication because I wanted something much simpler than Spring and dependency-free.

If that is what you need, it may work for you. It is pretty old now but it should still work fine. We have it in use still at noticelocal.com

There's also Shiro.

The decision has to be made on what kind of authentication and authorisation you need. If you will need more complex stuff like multiple auth providers, OAuth etc then you will need to look at a heavyweight option.

Marc
~ ~ ~
Marc Palmer
Freelancer (Grails/Groovy/Java/UX)

I offer commercial support for Grails plugins from as low as $50/mo.
For details see: http://grailsrocks.com

Blog: http://www.anyware.co.uk | Resumé: http://www.anyware.co.uk/marc
Contributor @ http://grails.org |  Founder @ http://noticelocal.com
Developer @ http://weceem.org | Member @ http://spottymushroom.com
Twitter: http://twitter.com/wangjammer5 


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

That's great feedback. Thanks everybody.

To have a feel of using shiro please check http://coderberry.me/blog/2012/04/26/grails-authentication-with-shiro/