17.4 Authentication

Grails has no default mechanism for authentication as it is possible to implement authentication in many different ways. It is however, easy to implement a simple authentication mechanism using interceptors. This is sufficient for simple use cases but it’s highly preferable to use an established security framework, for example by using the Spring Security or the Shiro plugin.

Interceptors let you apply authentication across all controllers or across a URI space. For example you can create a new set of filters in a class called grails-app/controllers/SecurityInterceptor.groovy by running:

  1. grails create-interceptor security

and implement your interception logic there:

  1. class SecurityInterceptor {
  3.     SecurityInterceptor() {
  4.         matchAll()
  5.         .except(controller:'user', action:'login')
  6.     }
  8.     boolean before() {
  9.         if (!session.user && actionName != "login") {
  10.             redirect(controller: "user", action: "login")
  11.             return false
  12.         }
  13.         return true
  14.     }
  16. }

Here the interceptor intercepts execution before all actions except login are executed, and if there is no user in the session then redirect to the login action.

The login action itself is simple too:

  1. def login() {
  2.     if (request.get) {
  3.         return // render the login view
  4.     }
  6.     def u = User.findByLogin(params.login)
  7.     if (u) {
  8.         if (u.password == params.password) {
  9.             session.user = u
  10.             redirect(action: "home")
  11.         }
  12.         else {
  13.             render(view: "login", model: [message: "Password incorrect"])
  14.         }
  15.     }
  16.     else {
  17.         render(view: "login", model: [message: "User not found"])
  18.     }
  19. }