Last Updated: February 25, 2016
· gschueler

Authenticate a Grails app via Tomcat when using Spring-security

If you use Spring-security for authentication/authorization in your Grails application (via the spring-security plugin), you may be faced with a problem when trying to deploy it to a web-app container where you need to use the container's native authentication and authorization features. For example, if you want to use Tomcat and use the same Realm definition for multiple web-apps.

Spring-security provides some classes for doing this via the "pre-authenticated" authentication provider, but in our attempt it was not straightforward to set this up. Hopefully this document can help someone struggling with the same issue.

The mechanism consists of these steps:

  1. define appropriate Spring beans in your resources.groovy file
  2. set the Spring security 'providerNames' configuration to use the newly defined "preAuthenticatedAuthenticationProvider" in your config.groovy file
  3. register a processing Filter into the Spring filter chain from within the BootStrap.groovy init closure
  4. tell the container (e.g. Tomcat) that authentication is required by updating the web.xml file
  5. Finally, update the container configuration to define appropriate authentication and authorization details, e.g. set up the appropriate Realm definitions for Tomcat.

(This technique is ripe for conversion to a grails plugin, which I leave as an exercise for the reader.)