Refactoring grails application to use Shiro plugin instead of Spring Security (acegi)

I have been working on a small Grails based application for a bit and recently wanted to integrate Facebook Open Graph giving users the ability to login and or register for an account on my application using their facebook account in addition to the standard registration process. 

The application originally used Spring Security as the security layer, but due to poor facebook support had to search for an alternative. I investigated writing custom Authorization Providers… wrote to the Spring Security maintainers but in the end had to make a switch. During my search I came across a good blog post on grails security facebook integration using jSecurity now known as the Apache Shiro project.

The article does a great job of giving step by step instructions on how to approach the problem. Following the article I was able to integrate the facebook open graph api with apache shiro providing the core functionality I was driving for.

One of the main advantages I found to Shiro vs Spring Security is how instance based permissions are handled. Instead of you writing your own permission based logic.. permissions are stored on a per user basis as plain strings.

Instance based permissions are the most atomic form of authorization, restricting access to a specific object based on criteria defined. The id of the object is the most common used restriction.

Here is a break down on converting from Spring Security to Apache Shiro

Getting current user

Spring Security

def principal = SCH?.context?.authentication?.principal

Will need to be changed to:


def subject = SecurityUtils.getSubject();

Checking if user is logged in

Spring Security

if(principal == 'anonymousUser'){}

will need to be changed to



Creating account by getting username

Spring Security

def account = Account.findByUsername(principal.username)

will need to be changed to


Account account = Account.findByUsername(subject?.getPrincipal())

Saving a user password

Spring Security


will need to be changed to


new Sha512Hash('password').toHex()

In addition.. I will need to change the Role logic as it is Filter based in Shiro where in Spring Security Roles are saved in the database.


4 thoughts on “Refactoring grails application to use Shiro plugin instead of Spring Security (acegi)

  1. Les Hazlewood

    Hi Mike,

    This is a really nice writeup – well articulated, and a pleasure to read. Thanks so much for sharing with us! How are things going now that you’ve had time to dig in a little more?

    Best regards,

    (Apache Shiro team member)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s