Upgrading to grails 4, sessionRegistry.getAllPrincipal() is always empty.
The original spring bean in resources.groovy were
sessionRegistry(SessionRegistryImpl)
concurrentSessionFilter(ConcurrentSessionFilter){
sessionRegistry = sessionRegistry
expiredUrl = '/login'
}
As this was no longer working I tried updating resources.groovy to
sessionRegistry(SessionRegistryImpl)
registerSessionAuthenticationStrategy(RegisterSessionAuthenticationStrategy, ref(sessionRegistry))
sessionFixationProtectionStrategy(SessionFixationProtectionStrategy)
concurrentSessionControlAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy, ref(sessionRegistry)){
maximumSessions=1
exceptionIfMaximumExceeded=true
}
compositeSessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy,
[ref(registerSessionAuthenticationStrategy),ref(sessionFixationProtectionStrategy),ref(concurrentSessionControlAuthenticationStrategy)])
All of those beans are from the org.springframework.security.web.authentication.session package.
I've added names to grails.plugin.springsecurity.providerNames as well
The DaoAuthenticationProvider is extended by a custom auth provider. Login and logout works fine, but the principals never get registered in the upgraded app. Do I need register them manually (sessionRegistry.registerNewSession())?
There are old answers that say to use grails install-templates and then edit the web.xml in src/templates/war. However in grails 4, install-templates didn't generate war/web.xml
I tried adding it a /WEB-INF/web.xml, but still no luck.
I think you're missing the sessionAuthenticationStragegy bean definition, try removing the compositeSessionAuthenticationStrategy line and replace it with:
sessionAuthenticationStrategy(CompositeSessionAuthenticationStrategy, [ref('concurrentSessionControlAuthenticationStrategy'), ref('sessionFixationProtectionStrategy'), ref('registerSessionAuthenticationStrategy')])
This is the only difference I see between your code and mine, which is working with Grails 4.
Related
Is it possible to register a Session Listener (implementation of HttpSessionListener) as a Spring Bean.
My working implementation adds the listener to the servlet contexts in BootStrap.groovy
def init = { servletContext ->
servletContext.addListener(userLoginSessionListener)
}
but this causes my integration tests to fail with an UnsupportedOperationException (will create another question for this)
Now I have the following in resources.groovy
userLoginSessionListener(UserLoginSessionListener)
but now my sessionCreated and sessionDestroyed methods are no longer being triggered.
Had to go down the old fashioned route.
Removed the bean definition and BootStrap.groovy config and added the listener via the eventWebXmlEnd handler in _Events.groovy which played well with our integration tests.
<listener>
<listener-class>com.example.UserLoginSessionListener</listener-class>
</listener>
I'm trying to secure a spring-boot web application using spring security and spring-security-cas (SSO with Jasig CAS).
I'm facing a too many redirects error when trying to access a protected resources. The project is available here
Do you see any error in my configuration?
Thanks in advance
redirect loop error screenshot
Finally found out the error:
In SpringSecurity 4.x, CasAuthenticationFilter's defaultFilterProcessesUrl path is changed. So Change '/j_spring_cas_security_check' to '/login/cas' in Configuration.
So in my application.properties file, i had to change
app.service.security=http://localhost:7777/j_spring_cas_security_check
to
app.service.security=http://localhost:7777/login/cas
So the ServiceProperties Bean would become
#Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("http://localhost:7777/login/cas");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
Hope it'll help someone else!
I'm getting ready to implement the Spring Security UI plugin (we've already implemented the Spring Security Core plugin). I know the core plugin has support for users, roles, and groups, however, I don't see any mention of groups in the Spring Security UI plugin's documentation. Does Spring Security UI plugin not support creating, edition, etc. groups? Anyone tried adding this functionality?
A late response, but I had the same question so I thought I would just try it.
I have just attempted this myself and I believe the the answer is No. (out of the box)
The spring security ui plugin doesn't take the groups into consideration. If you try to edit a user
myapp/user/edit/1
you will recieve some sort of error like:
Class groovy.lang.MissingPropertyException
Message
No such property: authority for class: com.myapp.security.SecGroup Possible solutions: authorities
I'm curious if you found a way around this? Or we will have to customize the the plugin.
As Julian noted the UI doesn't provide support for groups out of the box. To avoid the error you can do the following (customize the plugin):
Copy the User controller into your project to override the plugin's controller:
grails s2ui-override user <your-package-for-controller>
Copy the "buildUserModel" from the plugin code in UserController and edit the userRoleNames field:
import grails.plugin.springsecurity.SpringSecurityUtils
class UserController extends grails.plugin.springsecurity.ui.UserController {
protected Map buildUserModel(user) {
...
// Added so that when using groups doesn't cause an error
Set userRoleNames
if (SpringSecurityUtils.securityConfig.useRoleGroups) {
String groupAuthorityFieldName = SpringSecurityUtils.securityConfig.authority.groupAuthorityNameField
userRoleNames = user[authoritiesPropertyName].collect { it[groupAuthorityFieldName].collect { it[authorityFieldName] } }
} else {
userRoleNames = user[authoritiesPropertyName].collect { it[authorityFieldName] }
}
...
}
I'm running my app in development environment.
Using this simple controller:
class MyController {
def index() {
redirect uri: '/'
}
}
I'm getting redirected to http://localhost:8080/[:]/ location for some reason.
$appName seems good inside Config.groovy. grails.serverURL looks also OK.
What's the problem?
UPDATE 1
I'm using grails 2.2.4
UPDATE 2
The problem is with invalid grails.serverURL value. When I'm debugging the app, it has a correct value inside Config.groovy. When I'm printing out this value from servlet method it's set to http://localhost:8080/[:]/ for some reason. I'm using Spring Security Core 1.2.7.3 and Spring Security UI 0.2, I think that for some reason grails.serverURL is overwritted inside this plugin.
How to fix it?
The answer was simple. I've included MyConfig.groovy inside Config.groovy like this:
grails.config.locations = [ "classpath:${appName}-config.properties",
"classpath:${appName}-config.groovy",
MyConfig,
"file:${userHome}/.grails/${appName}-config.properties",
"file:${userHome}/.grails/${appName}-config.groovy"]
there was also environments.production, environments.development and environments.test sections however, $appName is undefined there. I've removed setting of grails.serverURL from MyConfig.groovy and its worked now.
I am (finally) upgrading my Acegi plugin to Spring Security Core. At the same time, I am upgrading from Grails 1.3.7 to 2.0. My site was fully functional before, but now when I try to get to my default page (which is IS_AUTHENTICATED_ANONYMOUSLY) I am redirected to the auth action of my LoginController. This method was never invoked with Acegi, so I don't know what the problem is. Have I set up my configuration wrong or is there something else I need to be thinking about?
grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
grails.plugins.springsecurity.interceptUrlMap = [
'/blog/**':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/static/**':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/consensus/**':['IS_AUTHENTICATED_FULLY'],
'/login/**':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/signup/**':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/home/**':['IS_AUTHENTICATED_FULLY'],
'/test/**':['ROLE_ADMIN'],
'/admin/**':['ROLE_ADMIN'],
'/adminmanage/**':['ROLE_ADMIN'],
'/quartz/**':['ROLE_ADMIN'],
'/**/*.css':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/js/**':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**':['IS_AUTHENTICATED_ANONYMOUSLY'],
'/monitoring**':['ROLE_ADMIN'],
'/**':['IS_AUTHENTICATED_FULLY']
]
My UrlMappings.groovy is:
class UrlMappings {
static mappings = {
"/"(controller:"x", action:"y")
"/z/?"(controller:"x", action:"y")
"/$controller/$action?/$id?"
{
constraints {
// apply constraints here
}
}
"500"(view: '/error')
}
}
I have been reading through the documentation but am having some problems, so I am not sure if there is more relevant code one would need to see. If there is, please let me know and I will add it. Thanks.
Other options in my Config.groovy were incorrect and this caused the problem. Once I corrected them everything worked fine.
Despite it being called out in the documentation, I had security fields that were not prepended with grails.plugins.springsecurity This caused the engine not to recognize them, which for some reason resulted in the call to auth.
After remove openid plugin all requests redirects me to the login page! I don't know what to do... I've already remove everything related.