I'm using Grails 2.4.4 with Spring Security Plugin 2.0.0 on a project to which I have just added spud-blog 0.5.2.
According to the short documentation on github I could go to http://localhost:8080/myapp/spud/admin immediately after including the plugin.
The problem is that somehow I am getting a 403 when accessing the URL above, even though I have
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/spud/admin/**': ['ROLE_ADMIN'],
'/spud/**': ['ROLE_ADMIN'],
...
]
and I am logging in with a user with ROLE_ADMIN role.
I have tried changing the rules to 'permitAll' but still no luck.
EDIT:
Apparently I do have to add grails-security-bridge and configure it.
I've followed http://bertramdev.github.io/grails-security-bridge/guide/configuration.html and https://gist.github.com/marcpalmer/2225545
Yet still no luck. I must be missing something?
Related
Setup:
I am using the Java library springdoc-openapi-ui in version 1.4.0 (via Maven) without any customization in a simple spring-boot project.
The Swagger page is generated under
https://my-url.com/my-context-path/swagger-ui/index.html
and the api-docs under
https://my-url.com/my-context-path/v3/api-docs/
both of these work and I can reach them. So far so good!
Now the problem:
When simply navigating to https://my-url.com/my-context-path/swagger-ui.html I am getting a HTTP Status 302 and a location attribute set in the response header that is supposed to redirect me to the swagger page from above (I assume).
However, the URL in the location attribute misses the context path! It looks like this:
https://my-url.com/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config
It redirects to a page that does not exist and I am getting a 404 error code. Note, that the configUrl also seems to be missing the context-path.
Any ideas why this occurs and how it can be fixed?
This Github Issue seemed to be the same problem, but in the end it is stated that the problem is fixed: https://github.com/springdoc/springdoc-openapi/issues/37 and that is for a previous version than mine.
Okay so the issue is that springdoc-openapi-ui is unaware of your app context path unless it is defined in spring boot, which may not be possible for everybody.
Hopefull it does support the non-standard header X-Forwarded-Prefix that can be sent by your gateway.
I my case (Kubernetes), the Ingress can be configured in your chart by simply adding nginx.ingress.kubernetes.io/x-forwarded-prefix: "true"
And in your application config you also need to specify
server:
forward-headers-strategy: framework
to use Spring's support for handling forwarded headers.
Sources:
https://github.com/kubernetes/ingress-nginx/issues/3670
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#x-forwarded-prefix-header
https://github.com/springdoc/springdoc-openapi/issues/607
There are no know issues about context-path usage. As you can #37 is resolved and that reported it has confirmed that!
Just make sure you follow the instructions of setting context-path on standard spring-boot application.
You can test the configuration of your context path, in the different demos samples:
https://github.com/springdoc/springdoc-openapi-demos
If you have any problem, you can log an issue by provinding a minimal/reproducible sample or with unit tests that reproduces the problem.
In order to configure a swagger-ui correctly when an external context-path is configured use the follow configuration.
springdoc.swagger-ui.config-url=/context-path/api-docs/swagger-config
springdoc.swagger-ui.url=/context-path/api-docs
springdoc.api-docs.path=/api-docs
I'm developing an application using Grails 3.3.10 using Spring security plugin but I'm getting very weird behavior, when I run the application using -https for instance I finished editing the Profile in the edit.gsp here its URL https://localhost:8443/profile/edit/1 and I press Update so it will suppose to take me to the index.gsp but the URL I get is http://localhost:8080//profile/index as you can see the URL isn't https and there is extra / by the way this is happing in a lot of the views.
What is the reason for this behavior
I figured out what is the cause for this weird behavior i found in config file application.yml, the property grails.serverURL was configured twice ,so i commented them and everything worked fine
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
I am trying the common issue of configuring different URLs according to Roles using grails 2.3.3 and spring security spring-security-core:2.0-RC2.
I've found the following posts:
first post and a
modification in a second post http://desmontandojava.blogspot.com/2013/08/grails-tip-different-url-depending-on.html
but none of them work for my version, references didn't work for my version or packages are different now, they are all based on Burt Beckwith excellent presentation about hacking the spring security plugin, but they seem to be outdated, has anyone tried this with a recent version of grails and spring-security-core spring-security-ui?
I also tried the simple version of simply asking in a controller for the role and redirecting but it didn't work either, it had an odd behavior.
This Link worked for me:http://desmontandojava.blogspot.com/2013/08/grails-tip-different-url-depending-on.html
But only after I commented out this line in UrlMappings.groovy
// "/"(controller:"console", action:"myaction")
I was able to accomplish the task, however I had a problem, when logged out, the application was redirected to root and I did not have index.gsp so there was an error, then the only thing I did was add this property to Config.groovy.
grails.plugin.springsecurity.logout.afterLogoutUrl='/login/auth'
I installed Grails Spring Security Core Plugin and it works great, but I can't find the gsp file for the login page. I want to change the login page to match my web theme. Anyone knows how to find the file ? I tried generate-views and also generate-all followed by User, UserRole, and Role domain classes but I didn't see the actual files. Also I can't find the login and logout controllers for the spring security core plugin in my project directories. Any idea what's going on ?
They're in the plugin itself, so it depends on where your plugins get installed. In 2.3 they'll be under target/work/plugins, and in earlier versions they'll be in the .grails folder which is in your home directory, so it'll be something like $HOME/.grails/2.x.x/projects/<projectname>/plugins
I like to keep things simple by deleting the grails.project.class.dir, grails.project.test.class.dir, and grails.project.test.reports.dir settings from BuildConfig.groovy and adding just
grails.project.work.dir = 'target'
so everything is in one place.