For several reasons I decided to implement authentication with JSecurity. The Grails plugin is a great help and the quickstart brings you up to speed pretty fast.

As the JSecurity documentation is pretty scarce on the topic of custom authentication schemes, I'm posting my findings here in my blog. Perhaps it is useful to other developers as well (actually i would love to see some comments on this .

You'll need a working grails application and the JSecurity plugin. You can install simply by typing grails install-plugin jsecurity. After that you should call grails quickstart, which is a script that creates among other a couple of domain classes and controllers.

Before we start some terms:

AuthenticationToken: holds authentication information for an authentication request; this is the container that holds your username/password pair, your PGP key, whatever.

Realm: acts as the part of the authentication system that decides whether a given AuthenticationToken is confirmed and granted access.

The trick for the custom authentication scheme is to create a custom AuthenticationToken and a customized Realm. A customized token could look like this (don't tell me its ugly code - its not meant to be a cut'n'paste solution; it's just to get the idea!):

class CustomToken implements AuthenticationToken {
  String username
  String password
  Integer storeNumber

  public Object getPrincipal() {
    "${storeNumber}:${username}" // This could be done nicer, however i do not know how... yet 
  }
  public Object getCredentials() {
    password
  }
  // ... left out uninteressting methods.
}

So much for the token. That was straight forward. Now to the realm which requires some more coding. Of course you can write you realm from scratch, implementing the interface. That, however, is quite a piece of work, so simple modified the JsecDbRealm created by the quickstart script (again, only the important parts):

class JsecDbRealm {
  // We need this to tell JSecurity that this realm is responsible for our custom tokens:
  static authTokenClass = de.jakusys.example.CustomToken

  def authenticate(authToken) {
    def username = authToken.username
    // In addition to the username we need the store number for retrieval from the database:
    def storeNumber = authToken.storeNumber 

    // Null username is invalid
    if (username == null) {
      throw new AccountException('Null usernames are not allowed by this realm.')
    }
    // We need to check the format of the store number as well:
    try {
      storeNumber = Integer.parseInt(storeNumber)
    } catch (NumberFormatException ex) {
       throw new AccountException('Invalid store number.')
    }

    // Fetch the appropriate row from the database:
    def user = JsecUser.findByUsernameAndStoreNumber(username, storeNumber)
    if (!user) {
      throw new UnknownAccountException("No account found for user [${authToken.storeNumber}:${username}]")
    }

    // From here one you can re-use the code generated by the quickstart script...
  }

  // ... more uninteresting stuff ...
}

This is a most basic implementation that uses the default SimpleAccount class which could be considered ugly, as it does not know anything about the store number. Depending on your needs you can create your own implementation of Account or stick to the pre-implemented variant (I still have to check wether this has any security implications).

With the CustomToken and the modified realm in place, the only thing to be done is modifying the login form and the AuthenticationController, but that's a piece of cake now.

I mope my notes are of any use to you. I so, leave a comment.