We are using multiple datasources distributed across regions. Each datasource is meant to handle all data related to all users of the region including security related data such as roles, tokens etc. I can not have all security related information in one datasource.
Does Spring security rest plugin for Grails support this setup? From what I understand it always looks at the default datasource for all authentication related tables and stores all tokens in default datasource alone.
Could someone confirm this? If the plugin supports multiple datasources, how to make it work?
Our environment:
Grails 2.4.4
Spring security rest plugin 1.5.3
Spring security core 2.0-RC4
Postgresql 9.5
Grails supports multiple datasources:
http://docs.grails.org/2.4.4/guide/single.html#multipleDatasources
In order to adjust Spring security core, one relatively easy option, would be to provide an alternative userDetailsService. (method: loadUserByUsername(String username) could be customized to do that)
Which is in use by the DAOAuthenticationProvider to get user's details.
At that point, You would probably need to access more parameters from the request, to determine which datasource to access. So, the request object could be obtained using (for grails 2.x.x):
GrailsWebRequest webUtils = WebUtils.retrieveGrailsWebRequest()
def request = webUtils.getCurrentRequest()
Related
I have been exploring on spring-session framework for session management in our application, and we want to store session in database. I understand that spring provides implementation with JDBC and we can configure our own DataSource. The problem I'm facing is that we don't have direct access to db and need to make web service call to do any sort of crud operations.
So, is there a way to integrate spring-session to consume web services for session related crud operations in db ?
Another question is, can we change the schema for session related tables. I know that we can change the table names, but is it possible to add or remove further columns in the given tables ?
You can employ your custom session repository fairly easy - use #EnableSpringHttpSession (which imports SpringHttpSessionConfiguration) to configure common Spring Session components and register your SessionRepository implementation #Bean.
Regarding more advanced customization of schema used by JdbcOperationsSessionRepository, this was considered during implementation of JDBC support however decision was made not to provide this initially. If you need this feature please consider creating an feature request in Spring Session issue tracker.
I'm currently creating a new application that requires users to login. I want to use the Spring Security Core plugin for this, but the only problem is that the credentials of the users are stored in a centralized system, and not locally in the database. This system can only be accessed by an API, and will tell me whether the credentials are correct or not.
Is there any way to override the credentials check of the Spring Security Code plugin, so I can check the credentials myself? Or in case this is not possible, is there any other workaround?
It belongs on what your system looks like.
You can write your own Authentication Provider.
Here is answer.
You can create your own User class with datasource set on your centralized system database.
Or you can use Spring Security CAS Plugin
i want to use spring security and to map my model to a simplistic database schema.
According to this: http://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity-single.html#db_schema_users_authorities (section user schema), i can have a that match the one i have.
Note that this schema is the basic schema of tomcat with the database realm.
But i don't know how to tell spring to which schema i use and what are the tables to use wich what fields.
If you're using the Grails Spring Security plugin you're lookingin the wrong place - you don't configure it using standard Spring Security but within the plugin itself.
This is a common enough customization that it has its own chapter in the plugin docs - see https://grails-plugins.github.io/grails-spring-security-core/guide/userDetailsService.html
My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.
I want to implement role-based access control for each button and function in my application that can be modified onrRuntime. I'm implementing JSF 2.0, and EJB on Glassfish and currently using JSecurity with JDBCRealm to restrict access to the pages. But the problem is my client has requested runtime modification on the roles and access control, which cannot be performed with my current techniques without modifying the web.xml file and redeploy the application. I read through many post regarding Spring security. I want to check if this is possible with spring security, and whether such mechanism to control access control dynamically (can be edited at runtime) to pages + (button and fields level access) are available in spring.
I'm using JSF 2.0, glassfish 3.1, EJB 3.0, and J_Security_check for authentication.
Yes, it is possible with Spring Security. Spring Security allows runtime manipulation of Access Control List (ACL) fields through the MutableAcl interface. It allows creating, updating and deleting of access control entries (ACEs) and also provides the JdbcMutableAclService to persist these changes to the JDBC datastore.
See also:
domain-acls-getting-started
You can see the sample application available here
Instructions to run Spring Security sample applications.
You need to have your database ready with the acl tables before you can try these samples. Here is the schema for Spring ACL tables
I think best bet would be to partition the roles. E.g. the button "submit" may be clicked by user with role "Submitter" and the button "filter" by role "Filterer" and so on.