Using Shiro to secure services in grails.

Question

I'm using grails to build an application that functions primarily as a service framework. My question is: Can services be secured in the same fashion as controllers?

uri-based example:

class SecurityFilters {
  def filters = {
    all(uri: "/**") {
      before = {
        // Ignore direct views (e.g. the default main index page).
        if (!controllerName) return true
        // Access control by convention. 
        accessControl()
      }
    } 
  } 
}

Answer 1

I've no idea if the Shiro plugin supports this, but the Acegi plugin does, albeit in an "experimental" fashion (whatever that means).

Update

Having read the question properly, it seems you're asking whether you can use filters to secure services. If this is the case, then Shiro is somewhat irrelevant, because it's the filters that are performing authorisation, not Shiro.

So to answer your question about whether you can use filters to secure services, the answer is no, because you only have access to the controller from within a filter. However, you could use Groovy metaprogramming to do AOP-style method interception on services.

The basic approach is:

• For each service, add an invokeMethod property to the MetaClass
• The value of this property should be a Closure. This closure will intercept (i.e. be called instead of) each method called on the service.
• This closure should
  • Perform the security checks
  • Invoke the original method if authorization is successful and throw an exception (or show an error) if authorization fails

Aside

If at all possible, I would strongly recommend using a proven security plugin (e.g. Shiro, Acegi) to perform the authorization checks rather than rolling your own in the manner described above.