In order to tighten up security in our new Grails app I went about implementing the Spring Security Plugin. Getting it up and running with a standard username/password scenario was simple, as that is all wired up automagically by the plugin. That solved half of my problem, but we also need to support authentication with SAML, and there were no clear examples of how to do that. I’d like to share what I built in case anyone has a similar requirement. I won’t focus on the SAML specifics, but rather on how to build any custom authentication provider in grails.

You can map a URL to a filter by extending AbstractAuthenticationProcessingFilter and registering it with Spring. Then you can provide that URL for custom authentication. In my case it looked something like this:

Code

The filter is then setup as a Spring bean, along with an authentication provider which I’ll discuss shortly:

Code

And the bean is then registered as a filter in the Bootstrap:

Code

We also need to create the Token class that is used by the Filter and the Authentication Provider:

Code

And finally the AuthenticationProvider itself:

Code

The last piece of the puzzle is to tell Spring to try using this authentication provider before the other standard three in Config.groovy:

Code

In this case it’s important that the custom filter goes first, as it’s Token is a subclass of¬†UsernamePasswordAuthenticationToken. If the DAO provider was first it would try to authenticate the custom token before our filter gets a chance.¬†

That’s it! Hopefully this proves useful to someone. It’s also just a first draft, and perhaps once the security requirements evolve I can refine the implementation and share what I’ve learned.