A sample application showing how to infer one or more roles from persisted user information without explicitly storing roles in the traditional many-to-many format.

In this example there isn’t even a Role or UserRole domain class, only the User class; and all of the work is done in autorole.AutoRoleUserDetailsService, the custom UserDetailsService implementation.

A more realistic implementation would probably use a hybrid approach, storing some role information in the database and inferring the rest, with the UserDetailsService merging the "real" and "virtual" roles as needed.

Items of note:

• test.User is the user domain class generated by the s2-quickstart script with one modification, adding a boolean admin property

• the Role and UserRole classes generated by the s2-quickstart script were deleted since they’re not used

• two users are created in BootStrap.groovy; user “admin” (password “password”) has the admin boolean set to true and will be auto-granted ROLE_ADMIN, and user “user” (password “password”) has the default value for admin (false) which will result in a grant of ROLE_USER

• autorole.AutoRoleUserDetailsService is registered in grails-app/conf/spring/resources.groovy as the userDetailsService bean

• secured.SecureController has two annotated actions; /secure requires ROLE_USER (or ROLE_ADMIN since hierarchical roles are configured) and /secure/admin requires ROLE_ADMIN

• debug/trace logging for the plugin and Spring Security is configured but commented out in logback.groovy

• the application is intentionally stripped-down:

  • there are no static resources

  • the GSPs are very minimal

  • all unused attributes were removed from the grails.plugin.springsecurity block in application.groovy (even including userLookup.userDomainClassName, since AutoRoleUserDetailsService works directly with the User class)