blob: 3a9acf381812c1717d7b9de204d8a52720fae3bb [file]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<!-- Matomo -->
<script>
var _paq = window._paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(["setDoNotTrack", true]);
_paq.push(["disableCookies"]);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="https://analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '79']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<!-- End Matomo Code -->
<title>17 Security 3.3.7</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<link rel="stylesheet" href="../css/main.css" type="text/css" media="screen, print" title="Style" charset="utf-8"/>
<link rel="stylesheet" href="../css/pdf.css" type="text/css" media="print" title="PDF" charset="utf-8"/>
<script type="text/javascript">
function addJsClass() {
var classes = document.body.className.split(" ");
classes.push("js");
document.body.className = classes.join(" ");
}
</script>
</head>
<body class="body" onload="addJsClass();">
<div id="navigation">
<div class="navTitle">
The Grails Framework
</div>
<div class="navLinks">
<ul>
<li>
<div id="nav-summary" onmouseover="toggleNavSummary(false)" onmouseout="toggleNavSummary(true)">
<a href="../guide/index.html" class="button">Table of contents</a>
<div id="nav-summary-childs" style="display:none;">
<div class="toc-item" style="margin-left:0"><a href="../guide/introduction.html"><strong>1</strong><span>Introduction</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/gettingStarted.html"><strong>2</strong><span>Getting Started</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/upgrading.html"><strong>3</strong><span>Upgrading from Grails 3.2.x</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/conf.html"><strong>4</strong><span>Configuration</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/commandLine.html"><strong>5</strong><span>The Command Line</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/profiles.html"><strong>6</strong><span>Application Profiles</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/GORM.html"><strong>7</strong><span>Object Relational Mapping (GORM)</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/theWebLayer.html"><strong>8</strong><span>The Web Layer</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/traits.html"><strong>9</strong><span>Traits</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/REST.html"><strong>10</strong><span>REST</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/async.html"><strong>11</strong><span>Asynchronous Programming</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/validation.html"><strong>12</strong><span>Validation</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/services.html"><strong>13</strong><span>The Service Layer</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/staticTypeCheckingAndCompilation.html"><strong>14</strong><span>Static Type Checking And Compilation</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/testing.html"><strong>15</strong><span>Testing</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/i18n.html"><strong>16</strong><span>Internationalization</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/security.html"><strong>17</strong><span>Security</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/plugins.html"><strong>18</strong><span>Plugins</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/spring.html"><strong>19</strong><span>Grails and Spring</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/scaffolding.html"><strong>20</strong><span>Scaffolding</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/deployment.html"><strong>21</strong><span>Deployment</span></a>
</div>
<div class="toc-item" style="margin-left:0"><a href="../guide/contributing.html"><strong>22</strong><span>Contributing to Grails</span></a>
</div>
</div>
</div>
</li>
<li class="separator selected">
<a id="ref-button" onclick="localToggle(); return false;" href="#">Quick Reference</a>
</li>
</ul>
</div>
</div>
<table id="colset" border="0" cellpadding="0" cellspacing="0">
<tr>
<td id="col1">
<div id="main" class="corner-all">
<div class="toc-item prev-left"><a href="../guide/i18n.html">&lt;&lt; <strong>16</strong><span>Internationalization</span></a></div>
<span id='toggle-col1' class="toggle">(<a href="#" onclick="localToggle(); return false;">Quick Reference</a>)</span>
<div class="toc-item next-right"><a href="../guide/plugins.html"><strong>18</strong><span>Plugins</span> >></a></div>
<div class="project">
<h1>17 Security</h1>
<p><strong>Version:</strong> 3.3.7</p>
</div>
<div id="table-of-content">
<h2>Table of Contents</h2>
<div class="toc-item" style="margin-left:0px"><a href="#securingAgainstAttacks"><strong>17.1</strong><span>Securing Against Attacks</span></a>
</div>
<div class="toc-item" style="margin-left:0px"><a href="#xssPrevention"><strong>17.2</strong><span>Cross Site Scripting (XSS) Prevention</span></a>
</div>
<div class="toc-item" style="margin-left:0px"><a href="#codecs"><strong>17.3</strong><span>Encoding and Decoding Objects</span></a>
</div>
<div class="toc-item" style="margin-left:0px"><a href="#authentication"><strong>17.4</strong><span>Authentication</span></a>
</div>
<div class="toc-item" style="margin-left:0px"><a href="#securityPlugins"><strong>17.5</strong><span>Security Plugins</span></a>
</div>
<div class="toc-item" style="margin-left:10px"><a href="#springSecurity"><strong>17.5.1</strong><span>Spring Security</span></a>
</div>
</div>
<a name="14. Security"><!-- Legacy link --></a>
<h1 id="security">17 Security</h1>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="paragraph">
<p>Grails is no more or less secure than Java Servlets. However, Java servlets (and hence Grails) are extremely secure and largely immune to common buffer overrun and malformed URL exploits due to the nature of the Java Virtual Machine underpinning the code.</p>
</div>
<div class="paragraph">
<p>Web security problems typically occur due to developer naivety or mistakes, and there is a little Grails can do to avoid common mistakes and make writing secure applications easier to write.</p>
</div>
<div class="sect3">
<h4 id="_what_grails_automatically_does">What Grails Automatically Does</h4>
<div class="paragraph">
<p>Grails has a few built in safety mechanisms by default.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>All standard database access via <a href="GORM.html">GORM</a> domain objects is automatically SQL escaped to prevent SQL injection attacks</p>
</li>
<li>
<p>The default <a href="scaffolding.html">scaffolding</a> templates HTML escape all data fields when displayed</p>
</li>
<li>
<p>Grails link creating tags (<a href="http://gsp.grails.org/latest/ref/Tags/link.html">link</a>, <a href="http://gsp.grails.org/latest/ref/Tags/form.html">form</a>, <a href="http://gsp.grails.org/latest/ref/Tags/createLink.html">createLink</a>, <a href="http://gsp.grails.org/latest/ref/Tags/createLinkTo.html">createLinkTo</a> and others) all use appropriate escaping mechanisms to prevent code injection</p>
</li>
<li>
<p>Grails provides <a href="#codecs">codecs</a> to let you trivially escape data when rendered as HTML, JavaScript and URLs to prevent injection attacks here.</p>
</li>
</ul>
</div>
</div>
<a name="14.1 Securing Against Attacks"><!-- Legacy link --></a>
<h2 id="securingAgainstAttacks">17.1 Securing Against Attacks</h2>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security/securingAgainstAttacks.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="sect3">
<h4 id="_sql_injection">SQL injection</h4>
<div class="paragraph">
<p>Hibernate, which is the technology underlying GORM domain classes, automatically escapes data when committing to database so this is not an issue. However it is still possible to write bad dynamic HQL code that uses unchecked request parameters. For example doing the following is vulnerable to HQL injection attacks:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">def</span> <span class="function">vulnerable</span>() {
<span class="keyword">def</span> books = <span class="predefined-type">Book</span>.find(<span class="string"><span class="delimiter">&quot;</span><span class="content">from Book as b where b.title ='</span><span class="delimiter">&quot;</span></span> + params.title + <span class="string"><span class="delimiter">&quot;</span><span class="content">'</span><span class="delimiter">&quot;</span></span>)
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>or the analogous call using a GString:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">def</span> <span class="function">vulnerable</span>() {
<span class="keyword">def</span> books = <span class="predefined-type">Book</span>.find(<span class="string"><span class="delimiter">&quot;</span><span class="content">from Book as b where b.title ='</span><span class="inline"><span class="inline-delimiter">${</span>params.title<span class="inline-delimiter">}</span></span><span class="content">'</span><span class="delimiter">&quot;</span></span>)
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Do <strong>not</strong> do this. Use named or positional parameters instead to pass in parameters:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">def</span> <span class="function">safe</span>() {
<span class="keyword">def</span> books = <span class="predefined-type">Book</span>.find(<span class="string"><span class="delimiter">&quot;</span><span class="content">from Book as b where b.title = ?</span><span class="delimiter">&quot;</span></span>,
[params.title])
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>or</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">def</span> <span class="function">safe</span>() {
<span class="keyword">def</span> books = <span class="predefined-type">Book</span>.find(<span class="string"><span class="delimiter">&quot;</span><span class="content">from Book as b where b.title = :title</span><span class="delimiter">&quot;</span></span>,
[<span class="key">title</span>: params.title])
}</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_phishing">Phishing</h4>
<div class="paragraph">
<p>This really a public relations issue in terms of avoiding hijacking of your branding and a declared communication policy with your customers. Customers need to know how to identify valid emails.</p>
</div>
</div>
<div class="sect3">
<h4 id="_xss_cross_site_scripting_injection">XSS - cross-site scripting injection</h4>
<div class="paragraph">
<p>It is important that your application verifies as much as possible that incoming requests were originated from your application and not from another site. It is also important to ensure that all data values rendered into views are escaped correctly. For example when rendering to HTML or XHTML you must ensure that people cannot maliciously inject JavaScript or other HTML into data or tags viewed by others.</p>
</div>
<div class="paragraph">
<p>Grails 2.3 and above include special support for automatically encoded data placed into GSP pages. See the documentation on <a href="#xssPrevention">Cross Site Scripting (XSS) prevention</a> for further information.</p>
</div>
<div class="paragraph">
<p>You must also avoid the use of request parameters or data fields for determining the next URL to redirect the user to. If you use a <code>successURL</code> parameter for example to determine where to redirect a user to after a successful login, attackers can imitate your login procedure using your own site, and then redirect the user back to their own site once logged in, potentially allowing JavaScript code to then exploit the logged-in account on the site.</p>
</div>
</div>
<div class="sect3">
<h4 id="_cross_site_request_forgery">Cross-site request forgery</h4>
<div class="paragraph">
<p>CSRF involves unauthorized commands being transmitted from a user that a website trusts. A typical example would be another website embedding a link to perform an action on your website if the user is still authenticated.</p>
</div>
<div class="paragraph">
<p>The best way to decrease risk against these types of attacks is to use the <code>useToken</code> attribute on your forms. See <a href="theWebLayer.html#formtokens">Handling Duplicate Form Submissions</a> for more information on how to use it. An additional measure would be to not use remember-me cookies.</p>
</div>
</div>
<div class="sect3">
<h4 id="_html_url_injection">HTML/URL injection</h4>
<div class="paragraph">
<p>This is where bad data is supplied such that when it is later used to create a link in a page, clicking it will not cause the expected behaviour, and may redirect to another site or alter request parameters.</p>
</div>
<div class="paragraph">
<p>HTML/URL injection is easily handled with the <a href="#codecs">codecs</a> supplied by Grails, and the tag libraries supplied by Grails all use <a href="#codecs">encodeAsURL</a> where appropriate. If you create your own tags that generate URLs you will need to be mindful of doing this too.</p>
</div>
</div>
<div class="sect3">
<h4 id="_denial_of_service">Denial of service</h4>
<div class="paragraph">
<p>Load balancers and other appliances are more likely to be useful here, but there are also issues relating to excessive queries for example where a link is created by an attacker to set the maximum value of a result set so that a query could exceed the memory limits of the server or slow the system down. The solution here is to always sanitize request parameters before passing them to dynamic finders or other GORM query methods:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="type">int</span> limit = <span class="integer">100</span>
<span class="keyword">def</span> safeMax = <span class="predefined-type">Math</span>.min(params.max?.toInteger() ?: limit, limit) <span class="comment">// limit to 100 results</span>
<span class="keyword">return</span> <span class="predefined-type">Book</span>.list(<span class="key">max</span>:safeMax)</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_guessable_ids">Guessable IDs</h4>
<div class="paragraph">
<p>Many applications use the last part of the URL as an "id" of some object to retrieve from GORM or elsewhere. Especially in the case of GORM these are easily guessable as they are typically sequential integers.</p>
</div>
<div class="paragraph">
<p>Therefore you must assert that the requesting user is allowed to view the object with the requested id before returning the response to the user.</p>
</div>
<div class="paragraph">
<p>Not doing this is "security through obscurity" which is inevitably breached, just like having a default password of "letmein" and so on.</p>
</div>
<div class="paragraph">
<p>You must assume that every unprotected URL is publicly accessible one way or another.</p>
</div>
</div>
<a name="13.2 Cross Site Scripting (XSS) Prevention"><!-- Legacy link --></a>
<h2 id="xssPrevention">17.2 Cross Site Scripting (XSS) Prevention</h2>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security/xssPrevention.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="paragraph">
<p>Cross Site Scripting (XSS) attacks are a common attack vector for web applications. They typically involve submitting HTML or Javascript code in a form such that when that code is displayed, the browser does something nasty. It could be as simple as popping up an alert box, or it could be much worse like for example one could <a href="https://blog.codinghorror.com/protecting-your-cookies-httponly/">access other users session cookies.</a></p>
</div>
<div class="paragraph">
<p>The solution is to escape all untrusted user input when it is displayed in a page. For example,</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&lt;script&gt;alert(<span class="string"><span class="delimiter">'</span><span class="content">Got ya!</span><span class="delimiter">'</span></span>);&lt;<span class="regexp"><span class="delimiter">/</span><span class="content">script&gt;</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p>will become</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&amp;lt;script&amp;gt;alert(<span class="string"><span class="delimiter">'</span><span class="content">Got ya!</span><span class="delimiter">'</span></span>);&amp;lt;<span class="regexp"><span class="delimiter">/</span><span class="content">script&amp;gt;</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p>when rendered, nullifying the effects of the malicious input.</p>
</div>
<div class="paragraph">
<p>By default, Grails plays it safe and escapes all content in <code>${}</code> expressions in GSPs. All the standard GSP tags are also safe by default, escaping any relevant attribute values.</p>
</div>
<div class="paragraph">
<p>So what happens when you want to stop Grails from escaping some content? There are valid use cases for putting HTML into the database and rendering it as-is, as long as that content is <strong>trusted</strong>. In such cases, you can tell Grails that the content is safe as should be rendered raw, i.e. without any escaping:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&lt;section&gt;<span class="error">$</span>{raw(page.content)}&lt;<span class="regexp"><span class="delimiter">/</span><span class="content">section&gt;</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p>The <code>raw()</code> method you see here is available from controllers, tag libraries and GSP pages.</p>
</div>
<div class="paragraph">
<p><strong>XSS prevention is hard and requires a lot of developer attention</strong></p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
Although Grails plays it safe by default, that is no guarantee that your application will be invulnerable to an XSS-style attack. Such an attack is less likely to succeed than would otherwise be the case, but developers should always be conscious of potential attack vectors and attempt to uncover vulnerabilities in the application during testing. It&#8217;s also easy to switch to an unsafe default, thereby increasing the risk of a vulnerability being introduced.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>There are more details about the XSS in <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules">OWASP - XSS prevention rules</a> and <a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">OWASP - Types of Cross-Site Scripting</a>. Types of XSS are: <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Stored_XSS_Attacks">Stored XSS</a>, <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Reflected_XSS_Attacks">Reflected XSS</a> and <a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM based XSS</a>. <a href="https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet">DOM based XSS prevention</a> is coming more important because of the popularity of Javascript client side templating and Single Page Apps.</p>
</div>
<div class="paragraph">
<p>Grails codecs are mainly for preventing stored and reflected XSS type of attacks. Grails 2.4 includes HTMLJS codec that assists in preventing some DOM based XSS attacks.</p>
</div>
<div class="paragraph">
<p>It&#8217;s difficult to make a solution that works for everyone, and so Grails provides a lot of flexibility with regard to fine-tuning how escaping works, allowing you to keep most of your application safe while switching off default escaping or changing the codec used for pages, tags, page fragments, and more.</p>
</div>
<div class="sect3">
<h4 id="_configuration">Configuration</h4>
<div class="paragraph">
<p>It is recommended that you review the configuration of a newly created Grails application to garner an understanding of XSS prevention works in Grails.</p>
</div>
<div class="paragraph">
<p>When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. This can be configured in the <code>application.yml</code> configuration file as seen below:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="key">server</span>:
<span class="key">session</span>:
<span class="key">cookie</span>:
<span class="key">domain</span>: example.org
http-<span class="key">only</span>: <span class="predefined-constant">true</span>
<span class="key">path</span>: <span class="regexp"><span class="delimiter">/</span></span><span class="error">
</span> <span class="key">secure</span>: <span class="predefined-constant">true</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>GSP features the ability to automatically HTML encode GSP expressions, and as of Grails 2.3 this is the default configuration. The default configuration (found in <code>application.yml</code>) for a newly created Grails application can be seen below:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="key">grails</span>:
<span class="key">views</span>:
<span class="key">gsp</span>:
<span class="key">encoding</span>: UTF-<span class="integer">8</span>
<span class="key">htmlcodec</span>: xml <span class="error">#</span> use xml escaping instead of HTML4 escaping
<span class="key">codecs</span>:
<span class="key">expression</span>: html <span class="error">#</span> escapes values inside <span class="error">$</span>{}
<span class="key">scriptlets</span>: html <span class="error">#</span> escapes output from scriptlets <span class="keyword">in</span> GSPs
<span class="key">taglib</span>: none <span class="error">#</span> escapes output from taglibs
<span class="key">staticparts</span>: none <span class="error">#</span> escapes output from <span class="directive">static</span> template parts</code></pre>
</div>
</div>
<div class="paragraph">
<p>GSP features several codecs that it uses when writing the page to the response. The codecs are configured in the <code>codecs</code> block and are described below:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>expression</code> - The expression codec is used to encode any code found within ${..} expressions. The default for newly created application is <code>html</code> encoding.</p>
</li>
<li>
<p><code>scriptlet</code> - Used for output from GSP scriplets (&lt;% %&gt;, &lt;%= %&gt; blocks). The default for newly created applications is <code>html</code> encoding</p>
</li>
<li>
<p><code>taglib</code> - Used to encode output from GSP tag libraries. The default is <code>none</code> for new applications, as typically it is the responsibility of the tag author to define the encoding of a given tag and by specifying <code>none</code> Grails remains backwards compatible with older tag libraries.</p>
</li>
<li>
<p><code>staticparts</code> - Used to encode the raw markup output by a GSP page. The default is <code>none</code>.</p>
</li>
</ul>
</div>
</div>
<div class="sect3">
<h4 id="_double_encoding_prevention">Double Encoding Prevention</h4>
<div class="paragraph">
<p>Versions of Grails prior to 2.3, included the ability to set the default codec to <code>html</code>, however enabling this setting sometimes proved problematic when using existing plugins due to encoding being applied twice (once by the <code>html</code> codec and then again if the plugin manually called <code>encodeAsHTML</code>).</p>
</div>
<div class="paragraph">
<p>Grails 2.3 includes double encoding prevention so that when an expression is evaluated, it will not encode if the data has already been encoded (Example <code>${foo.encodeAsHTML()}</code>).</p>
</div>
</div>
<div class="sect3">
<h4 id="_raw_output">Raw Output</h4>
<div class="paragraph">
<p>If you are 100% sure that the value you wish to present on the page has not been received from user input, and you do not wish the value to be encoded then you can use the <code>raw</code> method:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="error">$</span>{raw(book.title)}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The 'raw' method is available in tag libraries, controllers and GSP pages.</p>
</div>
</div>
<div class="sect3">
<h4 id="_per_plugin_encoding">Per Plugin Encoding</h4>
<div class="paragraph">
<p>Grails also features the ability to control the codecs used on a per plugin basis. For example if you have a plugin named <code>foo</code> installed, then placing the following configuration in your <code>application.groovy</code> will disable encoding for only the <code>foo</code> plugin</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">foo.grails.views.gsp.codecs.expression = <span class="string"><span class="delimiter">&quot;</span><span class="content">none</span><span class="delimiter">&quot;</span></span></code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_per_page_encoding">Per Page Encoding</h4>
<div class="paragraph">
<p>You can also control the various codecs used to render a GSP page on a per page basis, using a page directive:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&lt;%<span class="annotation">@page</span> expressionCodec=<span class="string"><span class="delimiter">&quot;</span><span class="content">none</span><span class="delimiter">&quot;</span></span> %&gt;</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_per_tag_library_encoding">Per Tag Library Encoding</h4>
<div class="paragraph">
<p>Each tag library created has the opportunity to specify a default codec used to encode output from the tag library using the "defaultEncodeAs" property:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="directive">static</span> defaultEncodeAs = <span class="string"><span class="delimiter">'</span><span class="content">html</span><span class="delimiter">'</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p>Encoding can also be specified on a per tag basis using "encodeAsForTags":</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="directive">static</span> encodeAsForTags = [<span class="key">tagName</span>: <span class="string"><span class="delimiter">'</span><span class="content">raw</span><span class="delimiter">'</span></span>]</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_context_sensitive_encoding_switching">Context Sensitive Encoding Switching</h4>
<div class="paragraph">
<p>Certain tags require certain encodings and Grails features the ability to enable a codec only a certain part of a tag&#8217;s execution using the "withCodec" method. Consider for example the "&lt;g:javascript&gt;"" tag which allows you to embed JavaScript code in the page. This tag requires JavaScript encoding, not HTML coding for the execution of the body of the tag (but not for the markup that is output):</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">out.println <span class="string"><span class="delimiter">'</span><span class="content">&lt;script type=&quot;text/javascript&quot;&gt;</span><span class="delimiter">'</span></span>
withCodec(<span class="string"><span class="delimiter">&quot;</span><span class="content">JavaScript</span><span class="delimiter">&quot;</span></span>) {
out &lt;&lt; body()
}
out.println()
out.println <span class="string"><span class="delimiter">'</span><span class="content">&lt;/script&gt;</span><span class="delimiter">'</span></span></code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_forced_encoding_for_tags">Forced Encoding for Tags</h4>
<div class="paragraph">
<p>If a tag specifies a default encoding that differs from your requirements you can force the encoding for any tag by passing the optional 'encodeAs' attribute:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&lt;<span class="key">g</span>:message code=<span class="string"><span class="delimiter">&quot;</span><span class="content">foo.bar</span><span class="delimiter">&quot;</span></span> encodeAs=<span class="string"><span class="delimiter">&quot;</span><span class="content">JavaScript</span><span class="delimiter">&quot;</span></span> /&gt;</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_default_encoding_for_all_output">Default Encoding for All Output</h4>
<div class="paragraph">
<p>The default configuration for new applications is fine for most use cases, and backwards compatible with existing plugins and tag libraries. However, you can also make your application even more secure by configuring Grails to always encode all output at the end of a response. This is done using the <code>filteringCodecForContentType</code> configuration in <code>application.groovy</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">grails.views.gsp.filteringCodecForContentType.<span class="string"><span class="delimiter">'</span><span class="content">text/html</span><span class="delimiter">'</span></span> = <span class="string"><span class="delimiter">'</span><span class="content">html</span><span class="delimiter">'</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p>Note that, if activated, the <code>staticparts</code> codec typically needs to be set to <code>raw</code> so that static markup is not encoded:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">codecs {
expression = <span class="string"><span class="delimiter">'</span><span class="content">html</span><span class="delimiter">'</span></span> <span class="comment">// escapes values inside ${}</span>
scriptlet = <span class="string"><span class="delimiter">'</span><span class="content">html</span><span class="delimiter">'</span></span> <span class="comment">// escapes output from scriptlets in GSPs</span>
taglib = <span class="string"><span class="delimiter">'</span><span class="content">none</span><span class="delimiter">'</span></span> <span class="comment">// escapes output from taglibs</span>
staticparts = <span class="string"><span class="delimiter">'</span><span class="content">raw</span><span class="delimiter">'</span></span> <span class="comment">// escapes output from static template parts</span>
}</code></pre>
</div>
</div>
</div>
<a name="14.2 Encoding and Decoding Objects"><!-- Legacy link --></a>
<h2 id="codecs">17.3 Encoding and Decoding Objects</h2>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security/codecs.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="paragraph">
<p>Grails supports the concept of dynamic encode/decode methods. A set of standard codecs are bundled with Grails. Grails also supports a simple mechanism for developers to contribute their own codecs that will be recognized at runtime.</p>
</div>
<div class="sect3">
<h4 id="_codec_classes">Codec Classes</h4>
<div class="paragraph">
<p>A Grails codec class is one that may contain an encode closure, a decode closure or both. When a Grails application starts up the Grails framework dynamically loads codecs from the <code>grails-app/utils/</code> directory.</p>
</div>
<div class="paragraph">
<p>The framework looks under <code>grails-app/utils/</code> for class names that end with the convention <code>Codec</code>. For example one of the standard codecs that ships with Grails is <code>HTMLCodec</code>.</p>
</div>
<div class="paragraph">
<p>If a codec contains an <code>encode</code> closure Grails will create a dynamic <code>encode</code> method and add that method to the <code>Object</code> class with a name representing the codec that defined the encode closure. For example, the <code>HTMLCodec</code> class defines an <code>encode</code> closure, so Grails attaches it with the name <code>encodeAsHTML</code>.</p>
</div>
<div class="paragraph">
<p>The <code>HTMLCodec</code> and <code>URLCodec</code> classes also define a <code>decode</code> closure, so Grails attaches those with the names <code>decodeHTML</code> and <code>decodeURL</code> respectively. Dynamic codec methods may be invoked from anywhere in a Grails application. For example, consider a case where a report contains a property called 'description' which may contain special characters that must be escaped to be presented in an HTML document. One way to deal with that in a GSP is to encode the description property using the dynamic encode method as shown below:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="error">$</span>{report.description.encodeAsHTML()}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Decoding is performed using <code>value.decodeHTML()</code> syntax.</p>
</div>
</div>
<div class="sect3">
<h4 id="_encoder_and_decoder_interfaces_for_staticly_compiled_code">Encoder and Decoder interfaces for staticly compiled code</h4>
<div class="paragraph">
<p>A preferred way to use codecs is to use the codecLookup bean to get hold of <code>Encoder</code> and <code>Decoder</code> instances .</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">package</span> org.grails.encoder;
<span class="directive">public</span> <span class="type">interface</span> CodecLookup {
<span class="directive">public</span> <span class="predefined-type">Encoder</span> lookupEncoder(<span class="predefined-type">String</span> codecName);
<span class="directive">public</span> Decoder lookupDecoder(<span class="predefined-type">String</span> codecName);
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>example of using <code>CodecLookup</code> and <code>Encoder</code> interface</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">import</span> <span class="include">org.grails.encoder.CodecLookup</span>
<span class="type">class</span> <span class="class">CustomTagLib</span> {
CodecLookup codecLookup
<span class="keyword">def</span> myTag = { <span class="predefined-type">Map</span> attrs, body -&gt;
out &lt;&lt; codecLookup.lookupEncoder(<span class="string"><span class="delimiter">'</span><span class="content">HTML</span><span class="delimiter">'</span></span>).encode(attrs.something)
}
}</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_standard_codecs">Standard Codecs</h4>
<div class="paragraph">
<p><strong>HTMLCodec</strong></p>
</div>
<div class="paragraph">
<p>This codec performs HTML escaping and unescaping, so that values can be rendered safely in an HTML page without creating any HTML tags or damaging the page layout. For example, given a value "Don&#8217;t you know that 2 &gt; 1?" you wouldn&#8217;t be able to show this safely within an HTML page because the &gt; will look like it closes a tag, which is especially bad if you render this data within an attribute, such as the value attribute of an input field.</p>
</div>
<div class="paragraph">
<p>Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&lt;input name=<span class="string"><span class="delimiter">&quot;</span><span class="content">comment.message</span><span class="delimiter">&quot;</span></span> value=<span class="string"><span class="delimiter">&quot;</span><span class="inline"><span class="inline-delimiter">${</span>comment.message.encodeAsHTML()<span class="inline-delimiter">}</span></span><span class="delimiter">&quot;</span></span>/&gt;</code></pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Note that the HTML encoding does not re-encode apostrophe/single quote so you must use double quotes on attribute values to avoid text with apostrophes affecting your page.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>HTMLCodec defaults to HTML4 style escaping (legacy HTMLCodec implementation in Grails versions before 2.3.0) which escapes non-ascii characters.</p>
</div>
<div class="paragraph">
<p>You can use plain XML escaping instead of HTML4 escaping by setting this config property in <code>application.groovy</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">grails.views.gsp.htmlcodec = <span class="string"><span class="delimiter">'</span><span class="content">xml</span><span class="delimiter">'</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>XMLCodec</strong></p>
</div>
<div class="paragraph">
<p>This codec performs XML escaping and unescaping. It escapes &amp; , &lt; , &gt; , " , ' , \\\\ , @ , ` , non breaking space (\\\\u00a0), line separator (\\\\u2028) and paragraph separator (\\\\u2029).</p>
</div>
<div class="paragraph">
<p><strong>HTMLJSCodec</strong></p>
</div>
<div class="paragraph">
<p>This codec performs HTML and JS encoding. It is used for preventing some DOM-XSS vulnerabilities. See <a href="https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet">OWASP - DOM based XSS Prevention Cheat Sheet</a> for guidelines of preventing DOM based XSS attacks.</p>
</div>
<div class="paragraph">
<p><strong>URLCodec</strong></p>
</div>
<div class="paragraph">
<p>URL encoding is required when creating URLs in links or form actions, or any time data is used to create a URL. It prevents illegal characters from getting into the URL and changing its meaning, for example "Apple &amp; Blackberry" is not going to work well as a parameter in a GET request as the ampersand will break parameter parsing.</p>
</div>
<div class="paragraph">
<p>Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">&lt;a href=<span class="string"><span class="delimiter">&quot;</span><span class="content">/mycontroller/find?searchKey=</span><span class="inline"><span class="inline-delimiter">${</span>lastSearch.encodeAsURL()<span class="inline-delimiter">}</span></span><span class="delimiter">&quot;</span></span>&gt;
Repeat last search
&lt;<span class="regexp"><span class="delimiter">/</span><span class="content">a&gt;</span></span></code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>Base64Codec</strong></p>
</div>
<div class="paragraph">
<p>Performs Base64 encode/decode functions. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">Your registration code <span class="key">is</span>: <span class="error">$</span>{user.registrationCode.encodeAsBase64()}</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>JavaScriptCodec</strong></p>
</div>
<div class="paragraph">
<p>Escapes Strings so they can be used as valid JavaScript strings. For example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="predefined-type">Element</span>.update(<span class="string"><span class="delimiter">'</span><span class="content">${elementId}</span><span class="delimiter">'</span></span>,
<span class="string"><span class="delimiter">'</span><span class="content">${render(template: &quot;/common/message&quot;).encodeAsJavaScript()}</span><span class="delimiter">'</span></span>)</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>HexCodec</strong></p>
</div>
<div class="paragraph">
<p>Encodes byte arrays or lists of integers to lowercase hexadecimal strings, and can decode hexadecimal strings into byte arrays. For example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">Selected <span class="key">colour</span>: <span class="error">#</span><span class="error">$</span>{[<span class="integer">255</span>,<span class="integer">127</span>,<span class="integer">255</span>].encodeAsHex()}</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>MD5Codec</strong></p>
</div>
<div class="paragraph">
<p>Uses the MD5 algorithm to digest byte arrays or lists of integers, or the bytes of a string (in default system encoding), as a lowercase hexadecimal string. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">Your API <span class="predefined-type">Key</span>: <span class="error">$</span>{user.uniqueID.encodeAsMD5()}</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>MD5BytesCodec</strong></p>
</div>
<div class="paragraph">
<p>Uses the MD5 algorithm to digest byte arrays or lists of integers, or the bytes of a string (in default system encoding), as a byte array. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="type">byte</span><span class="type">[]</span> passwordHash = params.password.encodeAsMD5Bytes()</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>SHA1Codec</strong></p>
</div>
<div class="paragraph">
<p>Uses the SHA1 algorithm to digest byte arrays or lists of integers, or the bytes of a string (in default system encoding), as a lowercase hexadecimal string. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">Your API <span class="predefined-type">Key</span>: <span class="error">$</span>{user.uniqueID.encodeAsSHA1()}</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>SHA1BytesCodec</strong></p>
</div>
<div class="paragraph">
<p>Uses the SHA1 algorithm to digest byte arrays or lists of integers, or the bytes of a string (in default system encoding), as a byte array. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="type">byte</span><span class="type">[]</span> passwordHash = params.password.encodeAsSHA1Bytes()</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>SHA256Codec</strong></p>
</div>
<div class="paragraph">
<p>Uses the SHA256 algorithm to digest byte arrays or lists of integers, or the bytes of a string (in default system encoding), as a lowercase hexadecimal string. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">Your API <span class="predefined-type">Key</span>: <span class="error">$</span>{user.uniqueID.encodeAsSHA256()}</code></pre>
</div>
</div>
<div class="paragraph">
<p><strong>SHA256BytesCodec</strong></p>
</div>
<div class="paragraph">
<p>Uses the SHA256 algorithm to digest byte arrays or lists of integers, or the bytes of a string (in default system encoding), as a byte array. Example of usage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="type">byte</span><span class="type">[]</span> passwordHash = params.password.encodeAsSHA256Bytes()</code></pre>
</div>
</div>
</div>
<div class="sect3">
<h4 id="_custom_codecs">Custom Codecs</h4>
<div class="paragraph">
<p>Applications may define their own codecs and Grails will load them along with the standard codecs. A custom codec class must be defined in the <code>grails-app/utils/</code> directory and the class name must end with <code>Codec</code>. The codec may contain a <code>static</code> <code>encode</code> closure, a <code>static</code> <code>decode</code> closure or both. The closure must accept a single argument which will be the object that the dynamic method was invoked on. For Example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="type">class</span> <span class="class">PigLatinCodec</span> {
<span class="directive">static</span> encode = { str -&gt;
<span class="comment">// convert the string to pig latin and return the result</span>
}
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>With the above codec in place an application could do something like this:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="xml">${lastName.encodeAsPigLatin()}</code></pre>
</div>
</div>
</div>
<a name="14.3 Authentication"><!-- Legacy link --></a>
<h2 id="authentication">17.4 Authentication</h2>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security/authentication.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="paragraph">
<p>Grails has no default mechanism for authentication as it is possible to implement authentication in many different ways. It is however, easy to implement a simple authentication mechanism using <a href="theWebLayer.html#interceptors">interceptors</a>. This is sufficient for simple use cases but it&#8217;s highly preferable to use an established security framework, for example by using the <a href="#springSecurity">Spring Security</a> or the <a href="#shiro">Shiro</a> plugin.</p>
</div>
<div class="paragraph">
<p>Interceptors let you apply authentication across all controllers or across a URI space. For example you can create a new set of filters in a class called <code>grails-app/controllers/SecurityInterceptor.groovy</code> by running:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy">grails create-interceptor security</code></pre>
</div>
</div>
<div class="paragraph">
<p>and implement your interception logic there:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="type">class</span> <span class="class">SecurityInterceptor</span> {
SecurityInterceptor() {
matchAll()
.except(<span class="key">controller</span>:<span class="string"><span class="delimiter">'</span><span class="content">user</span><span class="delimiter">'</span></span>, <span class="key">action</span>:<span class="string"><span class="delimiter">'</span><span class="content">login</span><span class="delimiter">'</span></span>)
}
<span class="type">boolean</span> before() {
<span class="keyword">if</span> (!session.user &amp;&amp; actionName != <span class="string"><span class="delimiter">&quot;</span><span class="content">login</span><span class="delimiter">&quot;</span></span>) {
redirect(<span class="key">controller</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">user</span><span class="delimiter">&quot;</span></span>, <span class="key">action</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">login</span><span class="delimiter">&quot;</span></span>)
<span class="keyword">return</span> <span class="predefined-constant">false</span>
}
<span class="keyword">return</span> <span class="predefined-constant">true</span>
}
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Here the interceptor intercepts execution <em>before</em> all actions except <code>login</code> are executed, and if there is no user in the session then redirect to the <code>login</code> action.</p>
</div>
<div class="paragraph">
<p>The <code>login</code> action itself is simple too:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="CodeRay highlight"><code data-lang="groovy"><span class="keyword">def</span> <span class="function">login</span>() {
<span class="keyword">if</span> (request.get) {
<span class="keyword">return</span> <span class="comment">// render the login view</span>
}
<span class="keyword">def</span> u = User.findByLogin(params.login)
<span class="keyword">if</span> (u) {
<span class="keyword">if</span> (u.password == params.password) {
session.user = u
redirect(<span class="key">action</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">home</span><span class="delimiter">&quot;</span></span>)
}
<span class="keyword">else</span> {
render(<span class="key">view</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">login</span><span class="delimiter">&quot;</span></span>, <span class="key">model</span>: [<span class="key">message</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">Password incorrect</span><span class="delimiter">&quot;</span></span>])
}
}
<span class="keyword">else</span> {
render(<span class="key">view</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">login</span><span class="delimiter">&quot;</span></span>, <span class="key">model</span>: [<span class="key">message</span>: <span class="string"><span class="delimiter">&quot;</span><span class="content">User not found</span><span class="delimiter">&quot;</span></span>])
}
}</code></pre>
</div>
</div>
<a name="14.4 Security Plug-ins"><!-- Legacy link --></a>
<h2 id="securityPlugins">17.5 Security Plugins</h2>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security/securityPlugins.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="paragraph">
<p>If you need more advanced functionality beyond simple authentication such as authorization, roles etc. then you should consider using the spring security core plugin.</p>
</div>
<a name="14.4.1 Spring Security"><!-- Legacy link --></a>
<h2 id="springSecurity">17.5.1 Spring Security</h2>
<div class='contribute-btn'>
<button type='button' class='btn btn-default' onclick='window.location.href="https://github.com/grails/grails-doc/edit/3.3.x/src/en/guide/security/securityPlugins/springSecurity.adoc"'>
<i class='fa fa-pencil-square-o'></i> Improve this doc
</button>
</div>
<div class="paragraph">
<p>The Spring Security plugins are built on the <a href="http://projects.spring.io/spring-security/">Spring Security</a> project which provides a flexible, extensible framework for building all sorts of authentication and authorization schemes. The plugins are modular so you can install just the functionality that you need for your application. The Spring Security plugins are the official security plugins for Grails and are actively maintained and supported.</p>
</div>
<div class="paragraph">
<p>There is a <a href="http://grails.org/plugins.html#plugin/spring-security-core">Core plugin</a> which supports form-based authentication, encrypted/salted passwords, HTTP Basic authentication, etc. and secondary dependent plugins provide alternate functionality such as <a href="https://grails.org/plugins.html#plugin/spring-security-acl">ACL support</a>, <a href="https://grails.org/plugins.html#plugin/spring-security-cas">single sign-on with Jasig CAS</a>, <a href="https://grails.org/plugins.html#plugin/spring-security-ldap">LDAP authentication</a>, <a href="https://grails.org/plugins.html#plugin/spring-security-kerberos">Kerberos authentication</a>, and a plugin providing <a href="https://grails.org/plugins.html#plugin/spring-security-ui">user interface extensions</a> and security workflows.</p>
</div>
<div class="paragraph">
<p>See the <a href="http://grails.org/plugins.html#plugin/spring-security-core">Core plugin page</a> for basic information and the <a href="http://grails-plugins.github.io/grails-spring-security-core/">user guide</a> for detailed information.</p>
</div>
<div style="clear:both;margin-top:15px;"></div>
<div class="toc-item prev-left"><a href="../guide/i18n.html">&lt;&lt; <strong>16</strong><span>Internationalization</span></a></div>
<div class="toc-item next-right"><a href="../guide/plugins.html"><strong>18</strong><span>Plugins</span> >></a></div>
<div style="clear:both"></div>
</div>
</td>
<td id="col2">
<div class="local clearfix">
<div class="local-title">
<a href="../guide/index.html" target="mainFrame">Quick Reference</a>
<span class="toggle">(<a href="#" onclick="localToggle(); return false;">hide</a>)</span>
</div>
<div class="menu">
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Command Line</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Command%20Line/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Command%20Line/bug-report.html">bug-report</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/clean.html">clean</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/compile.html">compile</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/console.html">console</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-app.html">create-app</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-command.html">create-command</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-controller.html">create-controller</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-domain-class.html">create-domain-class</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-functional-test.html">create-functional-test</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-hibernate-cfg-xml.html">create-hibernate-cfg-xml</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-integration-test.html">create-integration-test</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-interceptor.html">create-interceptor</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-plugin.html">create-plugin</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-profile.html">create-profile</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-script.html">create-script</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-service.html">create-service</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-taglib.html">create-taglib</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/create-unit-test.html">create-unit-test</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/dependency-report.html">dependency-report</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/docs.html">docs</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/generate-all.html">generate-all</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/generate-controller.html">generate-controller</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/generate-views.html">generate-views</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/help.html">help</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/install-templates.html">install-templates</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/list-plugins.html">list-plugins</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/list-profiles.html">list-profiles</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/package-plugin.html">package-plugin</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/package.html">package</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/plugin-info.html">plugin-info</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/profile-info.html">profile-info</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/run-app.html">run-app</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/run-command.html">run-command</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/run-script.html">run-script</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/schema-export.html">schema-export</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/shell.html">shell</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/stats.html">stats</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/stop-app.html">stop-app</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/test-app.html">test-app</a>
</div>
<div class="menu-item"><a href="../ref/Command%20Line/war.html">war</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Constraints</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Constraints/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Constraints/attributes.html">attributes</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/bindable.html">bindable</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/blank.html">blank</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/creditCard.html">creditCard</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/email.html">email</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/inList.html">inList</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/matches.html">matches</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/max.html">max</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/maxSize.html">maxSize</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/min.html">min</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/minSize.html">minSize</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/notEqual.html">notEqual</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/nullable.html">nullable</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/range.html">range</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/scale.html">scale</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/size.html">size</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/unique.html">unique</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/url.html">url</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/validator.html">validator</a>
</div>
<div class="menu-item"><a href="../ref/Constraints/widget.html">widget</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Controllers</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Controllers/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Controllers/actionName.html">actionName</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/allowedMethods.html">allowedMethods</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/bindData.html">bindData</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/chain.html">chain</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/controllerName.html">controllerName</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/defaultAction.html">defaultAction</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/errors.html">errors</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/flash.html">flash</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/forward.html">forward</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/grailsApplication.html">grailsApplication</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/hasErrors.html">hasErrors</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/namespace.html">namespace</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/params.html">params</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/redirect.html">redirect</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/render.html">render</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/request.html">request</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/respond.html">respond</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/response.html">response</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/responseFormats.html">responseFormats</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/scope.html">scope</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/servletContext.html">servletContext</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/session.html">session</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/withForm.html">withForm</a>
</div>
<div class="menu-item"><a href="../ref/Controllers/withFormat.html">withFormat</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Database Mapping</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Database%20Mapping/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Database%20Mapping/autoImport.html">autoImport</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/autoTimestamp.html">autoTimestamp</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/batchSize.html">batchSize</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/cache.html">cache</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/cascade.html">cascade</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/column.html">column</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/comment.html">comment</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/discriminator.html">discriminator</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/dynamicInsert.html">dynamicInsert</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/dynamicUpdate.html">dynamicUpdate</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/fetch.html">fetch</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/id.html">id</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/ignoreNotFound.html">ignoreNotFound</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/indexColumn.html">indexColumn</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/insertable.html">insertable</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/joinTable.html">joinTable</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/lazy.html">lazy</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/order.html">order</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/sort.html">sort</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/table.html">table</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/type.html">type</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/updateable.html">updateable</a>
</div>
<div class="menu-item"><a href="../ref/Database%20Mapping/version.html">version</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Domain Classes</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Domain%20Classes/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Domain%20Classes/addTo.html">addTo</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/attach.html">attach</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/belongsTo.html">belongsTo</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/clearErrors.html">clearErrors</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/constraints.html">constraints</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/count.html">count</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/countBy.html">countBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/createCriteria.html">createCriteria</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/delete.html">delete</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/discard.html">discard</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/embedded.html">embedded</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/errors.html">errors</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/executeQuery.html">executeQuery</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/executeUpdate.html">executeUpdate</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/exists.html">exists</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/fetchMode.html">fetchMode</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/find.html">find</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findAll.html">findAll</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findAllBy.html">findAllBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findAllWhere.html">findAllWhere</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findBy.html">findBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findOrCreateBy.html">findOrCreateBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findOrCreateWhere.html">findOrCreateWhere</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findOrSaveBy.html">findOrSaveBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findOrSaveWhere.html">findOrSaveWhere</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/findWhere.html">findWhere</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/first.html">first</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/get.html">get</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/getAll.html">getAll</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/getDirtyPropertyNames.html">getDirtyPropertyNames</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/getPersistentValue.html">getPersistentValue</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/hasErrors.html">hasErrors</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/hasMany.html">hasMany</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/hasOne.html">hasOne</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/ident.html">ident</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/instanceOf.html">instanceOf</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/isAttached.html">isAttached</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/isDirty.html">isDirty</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/last.html">last</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/list.html">list</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/listOrderBy.html">listOrderBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/load.html">load</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/lock.html">lock</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/mapWith.html">mapWith</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/mappedBy.html">mappedBy</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/mapping.html">mapping</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/merge.html">merge</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/namedQueries.html">namedQueries</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/properties.html">properties</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/read.html">read</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/refresh.html">refresh</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/removeFrom.html">removeFrom</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/save.html">save</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/transients.html">transients</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/validate.html">validate</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/where.html">where</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/whereAny.html">whereAny</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/withCriteria.html">withCriteria</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/withNewSession.html">withNewSession</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/withSession.html">withSession</a>
</div>
<div class="menu-item"><a href="../ref/Domain%20Classes/withTransaction.html">withTransaction</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Plug-ins</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Plug-ins/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Plug-ins/URL%20mappings.html">URL mappings</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/codecs.html">codecs</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/controllers.html">controllers</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/core.html">core</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/dataSource.html">dataSource</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/domainClasses.html">domainClasses</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/hibernate.html">hibernate</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/i18n.html">i18n</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/logging.html">logging</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/scaffolding.html">scaffolding</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/services.html">services</a>
</div>
<div class="menu-item"><a href="../ref/Plug-ins/servlets.html">servlets</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Services</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Services/Usage.html">Usage</a></div>
<div class="menu-item"><a href="../ref/Services/scope.html">scope</a>
</div>
<div class="menu-item"><a href="../ref/Services/transactional.html">transactional</a>
</div>
</div>
</div>
<div class="menu-block"><h1 class="menu-title" onclick="toggleRef(this.parentNode.childNodes[1])">Servlet API</h1><div class="menu-sub">
<div class="menu-item"><a href="../ref/Servlet%20API/request.html">request</a>
</div>
<div class="menu-item"><a href="../ref/Servlet%20API/response.html">response</a>
</div>
<div class="menu-item"><a href="../ref/Servlet%20API/servletContext.html">servletContext</a>
</div>
<div class="menu-item"><a href="../ref/Servlet%20API/session.html">session</a>
</div>
</div>
</div>
</div>
</div>
</td>
</tr>
</table>
<div id="footer">
Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically.
</div>
<script type="text/javascript" src="../js/docs.js"></script>
</body>
</html>