while upgrading grails 2 app to 4, can't we use the existing user credentials (stored in DB)
i have changed j_username and j_password in auth.gsp
and added
password :
algorithm : 'SHA-256'
hash:
iterations : 1
dao:
reflectionSaltSourceProperty : 'username'
in application.yml , under spring.plugin.
nothing helps.
in older grails version, we didnot use any custom security configs. it used to be forwarded to j_spring_securiry_check.
now it is going to /login/authenticate.,
apart from this i can not see in detail , what's happening.
any suggestions on how to proceed further?
Related
We have the following property for our multi-tenant application which helps us find the tenant based on domain.
mydomains = [
'www.google.com': 'tenant1',
'www.abc.com': 'tenant2'
]
In grails2.2.4 we were able to access it as
grailsApplication.config.mydomains['www.abc.com']
it would correctly give us 'tenant2' in 2.2.4, but in grails 3.3.7 it seems to create a map for each "." in the key & as such unable to find the tenant for a given domain. Here is how the mydomains property is parsed in 3.3.7
[www:[google:[com:tenant1], abc:[com:tenant2]]]
Is there an approach where i could get that same behavior in 3.3.7 ?
Instead of grailsApplication.config.mydomains['www.abc.com'] use grailsApplication.config.getProperty('mydomains.www.abc.com').
BTW... This isn't directly related to your question but there are very few situations for which referencing grailsApplication.config directly is really the best thing to do. See the article at https://objectcomputing.com/resources/publications/sett/retrieving-config-values-in-grails-3 and the video at https://objectcomputing.com/products/grails/quickcasts/runtime-config-values-grails-3 for more info. In the video I discuss some of the reasons that directly accessing grailsApplication.config isn't usually the best thing.
I hope that helps.
I am using OpenLDAP provided in osixia/openldap docker image (https://github.com/osixia/docker-openldap) but it is storing all passwords hashed.
Normally it will be desirable but I am planning to hash passwords on front end (with salting and MD5) so no person in the organization never gets to see the users passwords, but when I try saving them they are hash again, I have not find a way to prevent this behavior.
I try deleting (using user cn=admin,cn=config) an entry that comes with the image called cn={4}ppolicy,cn=schema,cn=config which I think may be the culprit but ldapdelete returns Server is unwilling to perform (53).
Any help is deeply appreciated.
If you store the password in plain text you can retrieve them in plain text.
You just need to check in the ACL that the user you use to read them have the correct rights to do it.
The password policy entry you are talking about is just a schema definition which allows you to define a password policy but does not enforce anything. (The 53 error is because you can't remove a schema from a running OpenLDAP to prevent removing a schema which could be used by an entry)
According to what I can see in github about the docker image you use, the ACL used is :
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,{{ LDAP_BASE_DN }}" write
by anonymous auth
by * none
Which means that only the user himself or the admin account can read the password field userPassword
It is this ACL that you need to modify to suit your needs. The ACL should be located here :
dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
I've had experience with making custom validation in Zend Framework 2 (using version 2.0.5 at present). I'm interested in creating a change password section in an "edit profile" form. What I want to be able to do, is have 3 fields:
Current Password,
New Password,
Confirm New Password.
Then I want to validate as follows:
If a new password is set, current password must also be set (and authenticated), and confirm new password should match new password.
If a current password is set, the new password and confirm new password must also be required.
If none are set, allow the edit of the rest of the profile, so continue validation.
I think you can get the gist of what I'm after, I'm looking for a reusable way to do this using Zend Framework 2. Ideally, creating a custom validator so that the forms can be reused, thought I suspect a factory approach may be better. Anything so I don't have to check it in the controller/service layer and repeat myself wherever I want to use this.
Kind Regards,
ise
You could add a custom filter, but I think this could also be done using validation groups and separately validate groups of inputs.
you could add the password fields to a separate group and only validate that group if the main password is not empty.
http://framework.zend.com/manual/2.0/en/modules/zend.input-filter.intro.html
http://framework.zend.com/manual/2.0/en/modules/zend.form.collections.html#validation-groups-for-fieldsets-and-collection
I am new to grails and trying to implement LDAP authentication. I was reading the official document where it says:
"There are three options for mapping LDAP attributes to UserDetails data (as specified by the grails.plugins.springsecurity.ldap.mapper.userDetailsClass config attribute) and hopefully one of those will be sufficient for your needs."
It makes it clear to use custom one but i couldn't find any information and usage about these three options. What are they and how can i use them?
They're described in section 3 on configuration: "use 'person' to create a Person, 'inetOrgPerson' to create an InetOrgPerson, or null to create an LdapUserDetailsImpl".
I have a grails 1.2 app and I want to use declarative security in order to restrict accesses based on roles. I decided to try shiro, installed the plugin, but when I try to authenticate, the message "Invalid username and/or password" shows up in the header. I check the db entry and the user is there with the sha'ed password. No messages are shown neither in the console nor in the stacktrace file. I added "warn 'org.jsecurity'" to Config.groovy with no results. Any hints/tricks to troubleshoot this ?
I ran into this problem as well... how are you saving the password for the user? After running quick start I followed the example on the Shiro plugin page and added the code below to my bootstrap init method:
import org.apache.shiro.crypto.hash.Sha512Hash
def user = new ShiroUser(username: "user123", passwordHash: new Sha512Hash("password").toHex())
user.save()
I would attempt to login and would continue to get a login failed. So I tried
def user = new ShiroUser(username:'admin', passwordHash:new Sha256Hash("admin").toHex())
user.save()
After changing from Sha512Hash to Sha256Hash... I was able to login!
UPDATE: Just created a new app with default Shiro Plugin settings after running 'quick-start'. If you are to create a user, you are going to want to use Sha256Hash out of the box. However, you can use Sha512Hash or Sha1Hash by adding the bean to your resources.groovy file for Spring.
Example for Sha512Hash:
beans = {
bean {
credentialMatcher(Sha512CredentialsMatcher) {
storedCredentialsHexEncoded = true
}
}
}
Did you run the quick-start? Are you using the default database realm?
I would debug through the Realm you're using and see what's going on.
I can't help with the shiro troubleshooting, but if you're looking for a more powerful solution you might want to check out nimble. It's based on shiro and offers a lot of additional features and flexibility.
You can install the latest with:
grails install-plugin nimble 0.4-SNAPSHOT
nimble documentation