I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
Related
I am trying the common issue of configuring different URLs according to Roles using grails 2.3.3 and spring security spring-security-core:2.0-RC2.
I've found the following posts:
first post and a
modification in a second post http://desmontandojava.blogspot.com/2013/08/grails-tip-different-url-depending-on.html
but none of them work for my version, references didn't work for my version or packages are different now, they are all based on Burt Beckwith excellent presentation about hacking the spring security plugin, but they seem to be outdated, has anyone tried this with a recent version of grails and spring-security-core spring-security-ui?
I also tried the simple version of simply asking in a controller for the role and redirecting but it didn't work either, it had an odd behavior.
This Link worked for me:http://desmontandojava.blogspot.com/2013/08/grails-tip-different-url-depending-on.html
But only after I commented out this line in UrlMappings.groovy
// "/"(controller:"console", action:"myaction")
I was able to accomplish the task, however I had a problem, when logged out, the application was redirected to root and I did not have index.gsp so there was an error, then the only thing I did was add this property to Config.groovy.
grails.plugin.springsecurity.logout.afterLogoutUrl='/login/auth'
I have an existing, eclipse based web servlet application that authenticates using http basic authentication. I am looking to convert this to Spring based security. I understand what has to be done programatically, but am having problems with the details of configuring the project itself in eclipse. I am using the Spring STS toolkit, and I am able to successfully import one of the Spring Security sample apps (openid-xml) and it works fine.
My existing application also works properly when run under STS, but without Spring support
I would like a recommendation for either a tutorial on making this conversion, or some useful advice. For example, is it easier to
a) create a new Spring application and try to migrate my existing code into it, or b) try to convert my code by importing the various spring libraries, etc? c) convert my existing app to use maven instead of eclipse (Spring just doesn't seem to want to work without maven, and i am at a loss here) - naturally, I have no idea how to do this.
Any advice will be most gratefully received, after a day of hit and miss frustration.
I have answered my own question, and will try to provide some details for those who may be having the same problem.
First, there is some relatively useless info available on stackoverflow, but some good stuff as well.
This (https://stackoverflow.com/a/14867188/1374167) is completely wrong. It is certainly possible to secure a servlet with Spring Security. The trick is to realize that you are going to have to use Maven and Gradle to build the libraries for Spring and Spring Security.
Once you have built these jar files, you simply import them into Eclipse (it doesn't really seem to matter which version) and set up your web.xml and security contraints.
I used this project as a starting point. It's not perfect, but it got me on the right track, after I updated the spring and spring security jar files. The full blog post is here
I had a frustrating experience getting to this point but I hope this information will help others. It's quite simple once you understand what to do.
This is the first time i have attempted to use spring security UI in my Grails application.
I am currently using Spring Security Core and it works fine but I like the ideas of the UI plugin.
I have read through the documentation and I cannot see any single commant to run to set everything up with default values. Keeping in mind I have Spring Security Core already running.
Can anyone please help me out.
Thanks
You just need to override your auth view using
grails s2ui-override auth
I m using spring security core plugin 1.2.7.2 and spring security ui 0.2 versions for my application.
I couldn't log on using the credentials I created. The new user is in the database. I looked around I read about double encryption password issues going on between core and ui plugin. The issue is still persisting. I got it worked by commenting the beforeInsert/beforeUpdate methods in the User Domain class. I was wondering if the issue is fixed in the new version?
Is there a different workaround for this? Please advice
Thanks much
There's a setting for this in the latest release (0.2) - see the grails.plugins.springsecurity.ui.encodePassword setting in the "Password Encryption" section in section 10 of the docs: http://grails-plugins.github.com/grails-spring-security-ui/docs/manual/
I want to change the authentication process that is used by the Acegi - Plugin. It should be a completely customized process. Custom login form + custom auth method.
Obviously there is only little documentation regarding this topic.
In the book The Definitive Guide to Grails it is described for an older version of grails. There the spring/resources.xml is used.
In the new version is a spring/resources.groovy file, where a DSL is used. I don't know how to configure a new AuthenticationManager.
How can I do this?
In respect to the form, you should have a auth.gsp under /grails-wapp/views/login. In respect to authentication, you probably only need to injet a different AuthenticateService in LoginController, which is under /grails-app/controllers/.