source: trunk/grails-app/conf/SecurityConfig.groovy @ 807

security {

    def authenticateService

        // See DefaultSecurityConfig.groovy for all settable/overridable properties

        active = true

        loginUserDomainClass = "Person"
    userName = 'loginName'
    password = 'password'
    enabled = 'isActive'

        authorityDomainClass = "Authority"

    // Required if we want to run "grails generate-manager"
    // Which recreates the controller and views, so save the views!
//     requestMapClass = 'Requestmap'

    // The whole application relies on controllerAnnotations and the static rules bellow.
    useRequestMapDomainClass = false
    useControllerAnnotations = true

    // Set true especially if used across the internet.
    forceHttps = 'false'

    // Pessimistic locking, deny access to all URLs that don't 
    // have an applicable URL-Role configuration.
    // This forces us to set an annotation, static rule or
    // extend BaseController and prevents accidentally leaving pages open.
    controllerAnnotationsRejectIfNoRule = true

    // Static rules for controllers, actions and urls.
    // Since we are using pessimistic locking we have to set some things
    // here but most security should be set in the controllers.
    controllerAnnotationStaticRules = [
    '/': ['IS_AUTHENTICATED_FULLY'],
    '/index.gsp': ['IS_AUTHENTICATED_FULLY'],
    '/css/*': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/plugins/**': ['IS_AUTHENTICATED_FULLY'],
    '/plugins/*/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/plugins/*/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/plugins/*/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/classDiagram*': ['IS_AUTHENTICATED_FULLY'],
    '/classDiagram/**': ['IS_AUTHENTICATED_FULLY'],
    '/login*': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/logout*': ['IS_AUTHENTICATED_FULLY'],
    '/logout/**': ['IS_AUTHENTICATED_FULLY'],
    '/image*': ['IS_AUTHENTICATED_FULLY'],
    '/image/**': ['IS_AUTHENTICATED_FULLY'],
    '/reports*': ['IS_AUTHENTICATED_FULLY'],
    '/reports/**': ['IS_AUTHENTICATED_FULLY'],
    '/jasper*': ['IS_AUTHENTICATED_FULLY'],
    '/jasper/**': ['IS_AUTHENTICATED_FULLY']
    ]

    // Always call the welcome action so that bookmarks are not used, a
    // welcome message can be populated and the sessionTimeout can be set.
    defaultTargetUrl = '/appCore/welcome'
    alwaysUseDefaultTargetUrl = true

    // User caching, turned this off so that password changes take effect.
    // It would appear that user is still in the session as logout/login
    // is still required for role changes to take effect.
    // If this option causes high database load try:
    //  import org.acegisecurity.providers.dao.DaoAuthenticationProvider
    //  import org.acegisecurity.context.SecurityContextHolder
    //  DaoAuthenticationProvider daoAuthenticationProvider 
    //  def user = SecurityContextHolder.context.authentication.principal.username 
    //  daoAuthenticationProvider.userCache.removeUserFromCache(user)
    //  in logout controller and perhaps on password change and role change.
    cacheUsers = false

//    // Listen for events and run the closure(s) that follow.
//    // Unfortunately the session is not available yet so many things can't be done here, use a defaultTargetUrl and controller.
//    useSecurityEventListener = true
//
//    onAuthenticationSuccessEvent = { e, appCtx ->
//        def p = e.source.principal
//        def personInstance = Person.findByLoginName(p.username)
//        println p.username
//        println personInstance.loginName
//        println personInstance.firstName
//    }

}