<< 4Customizing Nimble
(Quick Reference)

5 Leveraging Nimble in your application - Reference Documentation

Authors: Sudhir Nimavat

Version: 0.5.2

Table of Contents

5.1Access control
5.1.1Enforcing access control using filters
5.1.2Enforcing access control directly in code
5.2Dynamic methods provided by Nimble
5.3GSP tags provided by Nimble
5.3.1Authentication and authorization tags
5.3.2Utility and UI tags

5 Leveraging Nimble in your application

Nimble provides host of functionalities that can be leveraged by host applications, including dynamic methods and gsp tags.

5.1 Access control

One of the core functionality that nimble brings to any host application is support for authorization. Nimble utilizes Apache Shiro for access control process.

Access control in host applications is verified in one of two ways:

  1. By the host application making a direct call to subject.isPermitted(), subject.hasAllRoles() or subject.hasRole()
  2. By a grails filter invoking accessControl closure.

5.1.1 Enforcing access control using filters

One of the easiest methods for adding security to your host application is by configuring grails filters to control access to controllers and actions. Host application can call accessControl closure from within filters to authorize requests.

The following example shows the usage of the accessControl closure in filters.

Securing controller actions that require an authenticated user. 

secure(controller:"product", action:"edit") {
	  before = {
	  	accessControl {
	  		true
	  	}
	  }
	}

Securing controllers/actions that require a specific role or permission

secure(controller:"product", action:"delete") {
	  before = {
	  	accessControl {
	  		role("product-admin") || permission("book:delete")
	  	}
	  }
	}

5.1.2 Enforcing access control directly in code

Checking for permissions or roles in Java code as same as Shiro.

hasRole() - Checking if user has a role.

Subject currentUser = SecurityUtils.subject;
if (currentUser.hasRole("administrator")) {
‏
}

hasAllRoles(Collection<String> roleIdentifiers) - Check if Subject has all of the specified roles.

Subject currentUser = SecurityUtils.subject;
if (currentUser.hasAllRoles(["manager", "supervisor"])) {
‏
}

isPermitted(String permission) - Check if subject has specified permission.

Subject currentUser = SecurityUtils.subject;
if (currentUser.isPermitted("book:delete")) {
‏
}

5.2 Dynamic methods provided by Nimble

Nimble adds two dynamic methods getAuthenticatedUser and getAuthenticatedSubject to all Filter,controller and Service artefacts.

getAuthenticatedUser Returns currently logged in user or null if user is not logged in.

def sampleAction() {
	log.debug("current user : $authenticatedUser")
}

getAuthenticatedSubject Returns current subject, or null if user is not logged in. It is same as calling SecurityUtils.getSubject()

5.3 GSP tags provided by Nimble

@TODO

5.3.1 Authentication and authorization tags

@TODO

5.3.2 Utility and UI tags

@TODO
<< 4Customizing Nimble
Quick Reference (hide)