My simple approach to security tokens

I'm a big fan of the spring-security plug-in series for grails. It allows me to do almost anything concerning security issues while giving me faith that this works properly. One scenario I encountered now, however, was not covered. In order to secure mit JSON web-service actions I couldn't rely on spring security. Instead I wanted to create unique links just like in google's picasa, when you wanted to share an image with a 3rd party that does not necessarily have a picasa account like you do. I decided to implement this in a very simple fashion: I added a field String uuid to the domain class in question. Then I added a service class:

	class SecurityTokenService {
	def getSecurityToken(SomeDomainClass sdc) {
	if(!sdc?.uuid){
	sdc.uuid = UUID.randomUUID().toString()
	sdc.save(flush:true)
	}
	return sdc.uuid
	}
	}

view raw SecurityTokenService.groovy hosted with ❤ by GitHub

Then all I needed to do is to modify controller actions like this:

	private def accessAllowed = { securityToken, uuid ->
	//check if user is authenticated
	if(!springSecurityService.isLoggedIn()){
	//alternatively check if a security token is provided
	if(!securityToken || securityToken != uuid){
	return(false)
	}
	}
	return(true)
	}
	def someAction = {
	def someObject = SomeObject.get(params.id)
	if(accessAllowed(params.securityToken, someObject.uuid)){
	//do stuff
	}
	else{
	render status: 403
	}
	}

view raw TokenUsingController.groovy hosted with ❤ by GitHub

I would like to hear what you think about this approach. Is it save enough? Is there a more elegant solution?