Grails security plugin: avoid cache control response header - grails

I am using the Grails Security Plugin im my application and I appreciate it really.
Spring security automatically adds several headers to the https responses in order to avoid the caching of sensitive pages in the browser cache. I would like to disable that for non confidential informations like, for instance, fonts.
Native Spring security allows that through the <http>, <headers> and <cache-control disabled="true"> configuration elements.
While that would be simple with an XML config, I can't figure out the way to add the equivalent of to the configuration of the security plugin. Any hints?
I am using Grails 3.2.9, and security plugin 3.1.1.

Related

Grails 2.3.7 HTTPS disable resource hashing for a particular file

I use HAProxy for load-balancing and ssl termination. Behind it I have several Grails apps, one of which is a sort of CMS for semi-technical users.
Problem
When the user links to a Javascript library in the CMS like this:
<link href="/js/fancybox/jquery.fancybox-1.3.4.css" rel="stylesheet" type="text/css" />
They get redirected by Grails to the hashed version:
http://test.com/static/qnzsUX0FP3vbKVmIdNgR3SKbHRAuosgVLRMgegqUyzc.js
The issue is that the browser sees the redirect to an insecure page, and doesn't actually load the javascript.
How do I allow users to access the resources under /web-app/js without having them redirected to the hashed version?
What I think I need is either:
1) Some way of telling Grails that it either should not redirect to the hashed static version via some kind of parameter in the url (?hash=no), it should just serve the Javascript file.
2) Or the request should redirect to the https or http version, depending on what protocol accessed it.
Environment
I am using Grails version is 2.3.7 and resources is 1.2.7.
I do like the benefits that the hashing provides, and it works well anywhere I can use the resource plugin, but would like to skip it in these specific instances.
Updating to Grails 2.4.2 and using the asset pipeline plugin would likely solve this, but also take more time than I want to spend debugging Javascript right now.

How can i enable/disable kerberos authentication in grails application with single code base?

We have a product developed in grails 1.3.7 that supports Kerberos and ADS/LDAP authentication. The application is deployed in different environments. Some deployments are running as SaaS. The SaaS deployments don't require kerberos authentication. There is a dummy keytab file placed within the application and the same credentials are configured in the config.groovy as default to start the application without failing (if they are missing, application will not start). This blog helped me a lot while integrating kerberos
The authentication is working fine in all cases. Some customers accessing the SaaS application from their intranet domain are complaining extreme slowness(3-5 minutes) in the response after kerberos integration. When they access from out of the domain, it seems to be pretty faster. Mostly they are using IE browser. But when I tested the same from our domain, I don't see any issue. It loads in 5-7 seconds. So I am not sure if this is something related to their IE configuration or security policy?
Now I want to disable the Kerberos authentication in the application for specific deployments only. I don't want to keep two versions of the code. But I don't see any configuration with spring-security-kerberos plugin to do so.
Spring Security plugins used in the app are
spring-security-core=1.1.2
spring-security-kerberos=0.1
spring-security-ldap=1.0.5
Is it possible to enable/disable kerberos authentication for specific deployment alone or do I need to have 2 versions with and without kerberos?
Will any IE configuration help to solve this?
In the environments you want to disable spring -security just specifiy
grails.plugins.springsecurity.active = false
in your Config.groovy file, that is it.

Custom login page in grails 2.3.4 with spring security core 2.0-RC2

I am using the new grails 2.3.4 with Spring Security Core 2.0-RC2 plugin. I have generated the domain objects and got also a user via the Bootstrap.groovy into the db. However, I am wondering where to specify a custom login for my page?
Is it also possible to do the sign up process via the spring security plugin?
I appreciate your answer!
Create a gsp in the following pattern: grails-app/views/login/auth.gsp.
This way the default template is automatically replaced.

Eclipse RCP + Spring Security

I have a desktop application (built using Eclipse RCP) which on start, pops open a dialog box with 'UserName' and 'Password' fields in it. I need different types of authentication (LDAP, JDBC. etc).
If it was a web application the best way would be using Spring Security for this purpose. But I have Eclipse RCP application. Is there any way to integrate Eclipse RCP and Spring Security?
Eclipse RCP has security features available which you can use. The security is also JAAS compatible, so if you would like to hook Spring Security to it..it should be something doable.
Try the following links and see if you they serve your need without Spring Security:
Equinox Security Integration
Adding Security to Eclipse

Forcing https in Grails

in a struts application, I have a filter that forces certain pages to be accessed only over https via redirection. I'm thinking in porting it to grails so my question is: In the this environment, is there a "grails" way to implement such filter or is it similar/the same as I did ? Thanks
The Spring Security core plugin has support for this. See section 17 - "Channel security"

Resources