I have the domain:
User hasOne RoleGroup hasMany Role
Exemples:
RoleGroup: Admin, Professional, Client, ...
Role: ROLE_ACTION_1, ROLE_ACTION_2, ...
How I check if a user has a RoleGroup with annotation #Secured?
I need to check if user contains all roles of RoleGroup?
User class:
class User implements Serializable {
private static final long serialVersionUID = 1
static constraints = {
password blank: false, password: true
username blank: false, unique: true
}
static mapping = {
password column: '`password`'
version false
table schema: "CA"
}
static transients = ['springSecurityService']
transient springSecurityService
transient boolean enabled = true
transient boolean accountExpired
transient boolean accountLocked
transient boolean passwordExpired
String username
String password
RoleGroup profile
Set<RoleGroup> getAuthorities() {
[profile]
}
}
RoleGroup class:
class RoleGroup implements Serializable {
private static final long serialVersionUID = 1
String name
Set<Role> getAuthorities() {
RoleGroupRole.findAllByRoleGroup (this)*.role
}
}
I think you have not fully grasped spring security.
When using annotation - first annotation must be enabled in the config - this is the case by default.
You then secure either an entire controller or a controller action using something like this
#Secured(['ROLE_ADMIN', 'ROLE_USER'])
It has no way of working out all of what the user has as authority groups.
Although in the code you pasted in the RoleGroup class you have :
getAuthorities()
I have tweaked my User domain class and added the following:
Set<RoleGroup> getAuthorities() {
UserRoleGroup.findAllByUser(this)*.roleGroup
}
Set<RoleGroup> getAuthoritiesNames() {
UserRoleGroup.findAllByUser(this)*.roleGroup?.name
}
So when I have a user
i.e. User user=User.get(1L)
def authorities = user.getAuthorities()
println "user ${user} has ${authorities}"
which is a list containing all the authorities
if (authorities.contains('ROLE_USER')) {
println "WOOHOO"
}
With spring security you could also use it within gsps:
<sec:ifAllGranted roles="ROLE_ADMIN">
show something
</sec:ifAllGranted>
So back to your question:
You have :
Set<RoleGroup> getAuthorities() {
[profile]
}
Is that something you have in put in place ?
From where it is :
class RoleGroup implements Serializable {
private static final long serialVersionUID = 1
String name
Set<Role> getAuthorities() {
RoleGroupRole.findAllByRoleGroup (this)*.role
}
}
This should list you all the authorities
User user = User.get(1L)
def authorities = user?.profile?.getAuthorities()
Related
I'm trying to replace the username with "email" and the password with "motDePasse" but I can't figure out how to do It: I tried to replace every old name by new name in the Person class and I added the following configuration to
my application.groovy :
grails.plugin.springsecurity.userLookup.usernamePropertyName= 'email'
grails.plugin.springsecurity.userLookup.passwordPropertyName= 'motDePasse'
but it doesn't work. I'm using grails 3.1.5, anyone can help me please?
the "Custom UserDetailsService" part of the documentation doesn't show how to replace attributes.
Thank you
I ended up with keeping the default password and replacing the username with email, I had simply to replace every "username" with "email" in the Person class:
package ma.ac.uir.ecine.authentification
import groovy.transform.EqualsAndHashCode
import groovy.transform.ToString
#EqualsAndHashCode(includes='email')
#ToString(includes='email', includeNames=true, includePackage=false)
class Personne implements Serializable {
private static final long serialVersionUID = 1
transient springSecurityService
String email
String password
boolean enabled = true
boolean accountExpired
boolean accountLocked
boolean passwordExpired
Personne(String email, String password) {
this()
this.email = email
this.password = password
}
Set<Role> getAuthorities() {
PersonneRole.findAllByPersonne(this)*.role
}
def beforeInsert() {
encodePassword()
}
def beforeUpdate() {
if (isDirty('password')) {
encodePassword()
}
}
protected void encodePassword() {
password = springSecurityService?.passwordEncoder ? springSecurityService.encodePassword(password) : password
}
static transients = ['springSecurityService']
static constraints = {
password blank: false, password: true
email blank: false, unique: true
}
static mapping = {
password column: '`password`'
}
}
and add
grails.plugin.springsecurity.userLookup.usernamePropertyName= 'email'
to application.groovy
I couldn't replace the password.
Hello today I've started to learn Grails 3 with Spring Security Core Plugin but I'm having hard time with password Validation. When user is registering I want him to type password and confirmPassword. Everything would be ok if not hashing the password. I want my password to be encoded in database but with encoding I'm not able to compare those 2 passwords.
Here is my class:
#EqualsAndHashCode(includes='username')
#ToString(includes='username', includeNames=true, includePackage=false)
class User implements Serializable {
private static final long serialVersionUID = 1
transient springSecurityService
String username
String password
String confirmPass
boolean enabled = true
boolean accountExpired
boolean accountLocked
boolean passwordExpired
User(String username, String password) {
this()
this.username = username
this.password = password
this.confirmPass = password
}
Set<Role> getAuthorities() {
UserRole.findAllByUser(this)*.role
}
// because of that I can't compare password and confirmPass
def beforeInsert() {
encodePassword()
}
def beforeUpdate() {
if (isDirty('password')) {
encodePassword()
}
}
protected void encodePassword() {
password = springSecurityService?.passwordEncoder ? springSecurityService.encodePassword(password) : password
}
static transients = ['springSecurityService']
static constraints = {
username blank: false, unique: true
password blank: false, size: 5..60, password: true, display: false, validator: { val, obj ->
if (!obj.id && !obj.password) {
return 'validation.user.password' // my message
}
}
confirmPass blank: // now I'm stuck here, I've tried isPasswordValid() but won't work cuz of 'salt' What shout go here?
}
static mapping = {
password column: '`password`'
}
}
What should I do to make it working(valid both password are same and then encoded password store in database).
This is my user class that has Spring Security on it
package rms
import java.util.Date;
import java.util.Set;
import enums.EmployeeStatus;
class User {
transient springSecurityService
String username
String password
boolean enabled
boolean accountExpired
boolean accountLocked
boolean passwordExpired
String firstName
String lastName
String middleName
String contactNumber
String position
String emailAddress
String employeeID
Date dateOfBirth
EmployeeStatus employeeStatus
int age
byte [] picture
static hasMany = [employeeReport: EmployeeReport]
static constraints = {
picture maxSize:20* 1024 * 1024
dateOfBirth nullable: true
employeeStatus blank: false
position blank: false
contactNumber blank: false
emailAddress blank: false, matches: "([a-z0-9_.-]+)#([da-z.-]+).([a-z.]{2,6})", email: true
age min: 18
username blank: false, unique: true
password blank: false, password: true
}
static mapping = { password column: '`password`' }
Set<SecRole> getAuthorities() {
SecUserSecRole.findAllBySecUser(this).collect { it.secRole } as Set
}
def beforeInsert() {
encodePassword()
}
def beforeUpdate() {
if (isDirty('password')) {
encodePassword()
}
}
protected void encodePassword() {
password = springSecurityService.encodePassword(password)
}
String toString(){
return "SecUser $username"
}
}
I tried this tag <sec:loggedInUserInfo field="username"/> and it works fine but this doesn't work <sec:loggedInUserInfo field="firstName"/>. It gives a
No such property: firstName for class: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser
Is there any other way to display the other properties of the current logged in user?
The loggedInUserInfo can only access data from the "principal", which is typically an instance of GrailsUser. The data includes username, id, the assigned role names, and a few booleans about whether the user is enabled, the account is locked, etc. It's easy to subclass GrailsUser and create your own UserDetailsService and capture other data from the user domain class during authentication, and store that in the GrailsUser subclass to make it available to this tag; see http://grails-plugins.github.io/grails-spring-security-core/docs/manual.1273/guide/11%20Custom%20UserDetailsService.html for more info.
This works well if the data is read-only since it will be cached until the user logs out or the session expires. If the data that you want to display can change, retrieve the user instance and add it to the model map you return from the controller action:
class MyController {
def springSecurityService
def theAction() {
...
def user = springSecurityService.currentUser
[user: user, foo: 5, bar: "whatever", ...]
}
}
and then you can display whatever you want in the GSP, e.g. ${user.firstName}
I have a problem to get user authentication running in a Grails application with spring-security and LDAP.
The connection to LDAP works fine, I get results. But I didn't get it managed that the the user can log in and that the data is saved in the local database.
I have changed/created the following files:
config.groovy
grails.plugin.springsecurity.ldap. context.managerDn = 'USERNAME'
grails.plugin.springsecurity.ldap. context.managerPassword = 'PASSWORD'
grails.plugin.springsecurity.ldap. context.server ='ldap://LDAPSERVER:389/'
grails.plugin.springsecurity.ldap. authorities.ignorePartialResultException = true // typically needed for Active Directory
grails.plugin.springsecurity.ldap. search.base = 'DC=example,DC=com'
grails.plugin.springsecurity.ldap. search.filter='(sAMAccountName={0})' // for Active Directory you need this
grails.plugin.springsecurity.ldap. search.searchSubtree = true
grails.plugin.springsecurity.ldap.authorities.groupSearchBase ='DC=example,DC=com'
grails.plugin.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}'
grails.plugin.springsecurity.ldap.authorities.retrieveDatabaseRoles = false
grails.plugin.springsecurity.ldap. auth.hideUserNotFoundExceptions = false
grails.plugin.springsecurity.ldap. search.attributesToReturn = ['mail', 'displayName', 'title', 'fullname'] // extra attributes you want returned; see below for custom classes that access this data
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider']
grails.plugin.springsecurity.ldap.useRememberMe = false
grails.plugin.springsecurity.ldap.authorities.defaultRole = 'ROLE_USER'
grails.plugin.springsecurity.ldap.mapper.userDetailsClass = 'CustomUserDetails'
src/grovvy/CustomUserDetailsMapper.grovvy
package com.example
import com.example.CustomUserDetails
import org.springframework.ldap.core.DirContextAdapter
import org.springframework.ldap.core.DirContextOperations
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper
import groovy.sql.Sql
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.core.GrantedAuthority
import org.springframework.security.core.userdetails.UsernameNotFoundException
import org.springframework.security.authentication.DisabledException
class CustomUserDetailsContextMapper implements UserDetailsContextMapper {
private static final List NO_ROLES = [new SimpleGrantedAuthority("ROLE_USER")]
def dataSource
#Override
public CustomUserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection<GrantedAuthority> authority) {
username = username.toLowerCase()
User.withTransaction {
User user = User.findByUsername(username)
String firstName = ctx.originalAttrs.attrs['givenname'].values[0]
String lastName = ctx.originalAttrs.attrs['sn'].values[0]
def roles
if(!user){
user = new User(username: username, enabled: true, firstName: firstName, lastName: lastName)
user.save(flush: true)
}
else {
user = User.findByUsername(username)
user.firstName = firstName
user.lastName = lastName
user.save(flush)
}
roles = user.getAuthorities()
}
if( !user.enabled )
throw new DisabledException("User is disabled", username)
def authorities = roles.collect { new SimpleGrantedAuthority(it.authority) }
authorities.addAll(authority)
def userDetails = new CustomUserDetails(username, user.password, user.enabled, false, false, false, authorities, user.id, user.firstName, user.lastName)
return userDetails
}
#Override
public void mapUserToContext(UserDetails arg0, DirContextAdapter arg1) {
}
}
src/grovvy/CustomUserDetails.groovy
package com.example
import org.springframework.security.core.GrantedAuthority
import org.springframework.security.core.userdetails.User
class CustomUserDetails extends User{
final String firstName
final String lastName
CustomUserDetails(String username, String password, boolean enabled,
boolean accountNonExpired, boolean credentialsNonExpired,
boolean accountNonLocked,
Collection<GrantedAuthority> authorities,
long id, String firstName, String lastName) {
super(username, password, enabled, accountNonExpired,
credentialsNonExpired, accountNonLocked, authorities, id)
this.firstName = firstName
this.lastName = lastName
}
}
src/groovy/CustomUserDetailsService.groovy
package com.example
import grails.plugin.springsecurity.userdetails.GrailsUserDetailsService
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.core.userdetails.UserDetails
import org.springframework.security.core.userdetails.UsernameNotFoundException
class CustomUserDetailsService implements GrailsUserDetailsService {
/**
* Some Spring Security classes (e.g. RoleHierarchyVoter) expect at least one role, so
* we give a user with no granted roles this one which gets past that restriction but
* doesn't grant anything.
*/
static final List NO_ROLES = [new SimpleGrantedAuthority("NO_ROLE")]
UserDetails loadUserByUsername(String username, boolean loadRoles)
throws UsernameNotFoundException {
return loadUserByUsername(username)
}
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User.withTransaction { status ->
User user = User.findByUsername(username)
if (!user) throw new UsernameNotFoundException('User not found', username)
def authorities = user.authorities.collect {new SimpleGrantedAuthority(it.authority)}
return new CustomUserDetails(user.username, user.password, user.enabled,
!user.accountExpired, !user.passwordExpired,
!user.accountLocked, authorities ?: NO_ROLES, user.id,
user.firstName, user.lastName)
} as UserDetails
}
}
conf/resources.groovy
// Place your Spring DSL code here
import com.example.CustomUserDetailsContextMapper
import com.example.CustomUserDetailsService
beans = {
userDetailsService(CustomUserDetailsService)
ldapUserDetailsMapper(CustomUserDetailsContextMapper) {
dataSource = ref("dataSource")
}
}
When I run with this configuration and try to login I get the following error message:
Message: object references an unsaved transient instance - save the transient instance before flushing: com.example.User; nested exception is org.hibernate.TransientObjectException: object references an unsaved transient instance - save the transient instance before flushing: com.example.User
I had the same problem. The error message states that the User instance wasn't saved. I fixed it by changing the following line in the CustomUserDetailsMapper.grovvy
user = new User(username: username, enabled: true, firstName: firstName, lastName: lastName)
to
user = new User(username: username, enabled: true, firstName: firstName, lastName: lastName, accountLocked: false, passwordExpired: false, accountExpired: false, password: "test")
and by adding a firstName and lastName to the User domain class.
As you can see I just added some default values to user which is supposed to be created. It doesn't matter that the password is always set to "test". It won't be used because you are using LDAP.
For anyone that instead modified the generated user class from spring security(after running the quickstart script) and got the same error, I have added the nullable: true in the static constraints in the domain user class to all of your custom properties - in this case firstName and lastName. This allows you to save the instance without setting all of the properties explicitly.
Hope this helps someone!
static constraints = {
username blank: false, unique: true
password blank: false
fname nullable: true
lname nullable: true
}
I want to retrieve all users which have a specific Role like "ROLE_USER".
Below are Domain Classes for User, Role and UserRole.
User.groovy
class User {
transient springSecurityService
String username
String password
String email
boolean enabled
boolean accountExpired
boolean accountLocked
boolean passwordExpired
static constraints = {
username blank: false, unique: true
password blank: false
}
static mapping = {
password column: '`password`'
}
Set<Role> getAuthorities() {
UserRole.findAllByUser(this).collect { it.role } as Set
}
def beforeInsert() {
encodePassword()
}
def beforeUpdate() {
if (isDirty('password')) {
encodePassword()
}
}
protected void encodePassword() {
password = springSecurityService.encodePassword(password)
}
}
Role.groovy
class Role {
String authority
static mapping = {
cache true
}
static constraints = {
authority blank: false, unique: true
}
}
UserRole.groovy
class UserRole implements Serializable {
User user
Role role
boolean equals(other) {
if (!(other instanceof UserRole)) {
return false
}
other.user?.id == user?.id &&
other.role?.id == role?.id
}
int hashCode() {
def builder = new HashCodeBuilder()
if (user) builder.append(user.id)
if (role) builder.append(role.id)
builder.toHashCode()
}
static UserRole get(long userId, long roleId) {
find 'from UserRole where user.id=:userId and role.id=:roleId',
[userId: userId, roleId: roleId]
}
static UserRole create(User user, Role role, boolean flush = false) {
new UserRole(user: user, role: role).save(flush: flush, insert: true)
}
static boolean remove(User user, Role role, boolean flush = false) {
UserRole instance = UserRole.findByUserAndRole(user, role)
if (!instance) {
return false
}
instance.delete(flush: flush)
true
}
static void removeAll(User user) {
executeUpdate 'DELETE FROM UserRole WHERE user=:user', [user: user]
}
static void removeAll(Role role) {
executeUpdate 'DELETE FROM UserRole WHERE role=:role', [role: role]
}
static mapping = {
id composite: ['role', 'user']
version false
}
}
These Domain Classes are generated by Spring Security plugin.
I have added only email field for User class.
Here is my UserController.groovy
class UserController {
def index = {
}
def list = {
def role = Role.findByAuthority("ROLE_USER")
println "role id "+role.id
def users = User.findAll() //Its giving me all Users regardless of Role
println "total users "+users.size()
for(user in users)
{
println "User "+user.username+" "+user.email
}
render (view: "listUsers", model:[users:users])
}
}
In the list action I used User.findAll() but its giving me all user with all roles.
I want user list only from a certain role..
EDIT
Code to Assign Roles to newly created user
def username = params.username
def emailID = params.emailID
def password = params.password
def testUser = new User(username: username, enabled: true, password: password,email:emailID)
testUser.save(flush: true)
def userRole = new Role(authority: 'ROLE_USER').save(flush: true)
UserRole.create testUser, userRole, true
Thanks..
Replace
def users = User.findAll()
with
def users = UserRole.findAllByRole(role).user
and you should get all users with the required role.
EDIT
In your code sample you try to create a new Role for the User. Since a Role with the authority ROLE_USER already exists and authority has to be unique (see the 'constraints' part in your Role class) this new Role cannot be saved to the database. Because the Role you assign in UserRole.create doesn't exist in the database the UserRole is not saved either. You would have to assign the existing Role to the new User (e.g. with `Role.findByAuthority').
Creating the roles in Bootstrap.groovy is a good idea according to Spring Source because roles "are typically defined early in the life of the application and correspond to unchanging reference data. That makes BootStrap the ideal place to create them." (Spring Source Blog)