A sample application showing how to use X.509 browser certificates to authenticate.

Items of note:

• X.509 is enabled by adding useX509 = true in application.groovy

• two users (“dianne” and “scott”) are created in <code>BootStrap.groovy</code>, both with password "not_used" since it’s unused with certificate authentication

• add the dianne.p12 and/or scott.p12 certificate to your browser to authenticate as that person

• you must use SSL with X.509 authentication; I tested by building a WAR file and deploying it to Tomcat 8, and configuring run-app similarly is left as an exercise for the reader

  • To test, run grails war and copy build/libs/x509-0.1.war to the Tomcat webapps folder, renaming the war to ROOT.war so it uses the default context

  • be sure to access the application with SSL URLs, e.g. https://localhost:8443/secure/index

• configure server.jks as the keystore and truststore; server.xml is an example Tomcat 8 config file that does this, expecting that server.jks is in the conf directory

• secured.SecureController has two annotated actions; /secure requires ROLE_USER (or ROLE_ADMIN since hierarchical roles are configured) and /secure/admin requires ROLE_ADMIN

• debug/trace logging for the plugin and Spring Security is configured but commented out in logback.groovy

• the application is intentionally stripped-down:

  • there are no static resources

  • the GSPs are very minimal

  • all unused attributes were removed from the grails.plugin.springsecurity block in application.groovy

• as in all of the demo apps, main.gsp was renamed to application.gsp since that’s the default name if none is specified, and the <meta> tag specifying the layout was removed from the GSPs

  • note that this requires configuring the grails.plugin.springsecurity.gsp.layoutAuth and grails.plugin.springsecurity.gsp.layoutDenied properties in application.groovy