开发者

How does Grails handle security, and why should I use a plugin?

For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.

For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?

I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is G开发者_如何学运维rails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?

On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.


Regarding security concerns I would always suggest to prefer proven and widely adopted solutions over your own rolled security implementation. Spring Security was founded in 2003 under the name Acegi and brings you more than eight years of experience and development for your security concerns.

As you already pointed to the Grails Spring Security plugin you should have a look at the OpenID plugin Spring Security OpenID which extends the Spring Security Core and brings you the OpenID support.


reason I should use a security plugin even for these trivial tasks?

... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜