1. Introduction to the Spring Security AppInfo Plugin

The Spring Security AppInfo plugin provides a UI to inspect your security configuration.

If you already have the spring-security-ui plugin installed you shouldn’t install this plugin, since it’s part of that plugin. It’s split out here into its own for users who want this information but not the entire UI plugin.

1.1. Release History

  • December 8, 2015

    • 3.0.0 release

  • August 16, 2015

    • 3.0.0.M1 release

  • October 5, 2013

    • 2.0-RC2 release

  • February 13, 2010

    • initial 1.0 release

2. Installation

Simply add an entry in the dependencies block of your build.gradle file, changing the version as needed:

build.gradle
dependencies {
   ...
   compile 'org.grails.plugins:spring-security-appinfo:3.0.1'
   ...

3. Security Configuration UI

The plugin has one controller (SecurityInfoController.groovy) and is available by navigating to /securityInfo. There are eight menus:

3.1. Configuration

The Configuration menu item displays all security-related attributes in grails-app/conf/application.groovy. The names omit the grails.plugin.springsecurity prefix:

security info config

3.2. Mappings

The Mappings menu item displays the current request mapping mode (Annotation, Requestmap, or Static) and all current mappings:

security info mappings

3.3. Current Authentication

The Current Authentication menu item displays your Authentication information, mostly for reference to see what a typical one contains:

security info auth

3.4. User Cache

The User Cache menu item displays information about cached users (this feature is disabled by default):

security info user cache

3.5. Filter Chains

The Filter Chains menu item displays your configured Filter chains. Typically there is just one chain, applied to all URLs

security info filter chains

It is possible to have multiple URL patterns each with its own filter chain, for example when using HTTP Basic Auth for a web service.

3.6. Logout Handlers

The Logout Handlers menu item displays your registered LogoutHandlers. Typically there will be just the two shown here, but you can register your own custom implementations, or a plugin might contribute one or more:

security info logout handlers

3.7. Voters

The Voters menu item displays your registered AccessDecisionVoters. Typically there will be just the three shown here, but you can register your own custom implementations, or a plugin might contribute one or more:

security info voters

3.8. Authentication Providers

The Authentication Providers menu item displays your registered AuthenticationProviders. Typically there will be just the three shown here, but you can register your own custom implementations, or a plugin (e.g. LDAP) might contribute one or more:

security info providers

4. General Notes

4.1. Securing Access

Be sure to guard access to the /securityInfo url since only authorized users should have access to this information. If you’re using annotations, you can register mappings in the staticRules property in grails-app/conf/application.groovy:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
   ...
   [pattern: '/securityinfo',    access: 'ROLE_ADMIN'],
   [pattern: '/securityinfo.*',  access: 'ROLE_ADMIN'],
   [pattern: '/securityinfo/**', access: 'ROLE_ADMIN']
]

If you use database Requestmaps, create new ones:

new Requestmap(url: '/securityinfo', configAttribute: 'ROLE_ADMIN').save()
new Requestmap(url: '/securityinfo.*', configAttribute: 'ROLE_ADMIN').save()
new Requestmap(url: '/securityinfo/**', configAttribute: 'ROLE_ADMIN').save()

And if you use the interceptUrlMap approach, add mappings to that property in grails-app/conf/application.groovy:

grails.plugin.springsecurity.interceptUrlMap = [
   ...
   [pattern: '/securityinfo',    access: 'ROLE_ADMIN'],
   [pattern: '/securityinfo.*',  access: 'ROLE_ADMIN'],
   [pattern: '/securityinfo/**', access: 'ROLE_ADMIN']
   ...
]