I'm using spring-security-core:2.0-RC5 Grails plugin , i searched on how to force the browser to use HTTPS on specific application's pages i found the below configuration :
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.secureChannel.definition = [
'/login/**': 'REQUIRES_SECURE_CHANNEL'
]
when i apply this in the config, and try access the login page, it shows me this page can't be displayed , and the protocol is still HTTP ,i know there is a way to run the whole application onHTTPS by using grails run-app -https but what i need to achieve is to force some pages to use HTTPS , is there a way to make this ?
Related
I'm using Grails 2.4.4 with Spring Security Plugin 2.0.0 on a project to which I have just added spud-blog 0.5.2.
According to the short documentation on github I could go to http://localhost:8080/myapp/spud/admin immediately after including the plugin.
The problem is that somehow I am getting a 403 when accessing the URL above, even though I have
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/spud/admin/**': ['ROLE_ADMIN'],
'/spud/**': ['ROLE_ADMIN'],
...
]
and I am logging in with a user with ROLE_ADMIN role.
I have tried changing the rules to 'permitAll' but still no luck.
EDIT:
Apparently I do have to add grails-security-bridge and configure it.
I've followed http://bertramdev.github.io/grails-security-bridge/guide/configuration.html and https://gist.github.com/marcpalmer/2225545
Yet still no luck. I must be missing something?
In my Grails project i'm using spring core plugin , i want to force the browser to use HTTPS while login , i found this setting :
grails.plugin.springsecurity.auth.forceHttps = true
but when i put it in the Config file,but when i try to access an action that needs to be logged in first rather directing my to the login page using HTTPS it shows me
This page can't be displayed
as shown in the image attached image anything i'm missing ?
There are two settings with the Grails spring security plugin to use here. the secure channel definition below says that all URLs for the application must use HTTPS and thus will automatically redirect to HTTPS. You can change this definition to suit your needs.
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.secureChannel.definition = [
'/**': 'REQUIRES_SECURE_CHANNEL'
]
In Grails, I'm using Spring Security Core plugin and I have 2 questions:
Is there a way to make the browser use HTTPS in specific URLs rather HTTP? I'm using this in Config file, but it's not working: grails.plugin.springsecurity.auth.forceHttps = true
How after login the user will go back to the original requested page, for example, the user is trying to access "securedPage" and this needs to be logged in first to it's redirect to the login page so after login I want the user to go back to that page.
What about trying this?
grails run-app -https // with HTTPS
You can also try using:
grails.plugins.springsecurity.secureChannel.definition = [
'/path/**': 'REQUIRES_SECURE_CHANNEL'
]
or try using this plugin:
https://grails.org/plugin/force-ssl
We've developed a Grails application that uses redirects.
Beacuse of external reasons, we are just recently using reverse-proxy, to split some traffic to domains:
From:
demo1.company.local (the server itself)
To:
tomcat.company.local (for all java applications, including our grails app)
lotus.company.local (for all Domino applications)
Since tomcat is only configured in the hosts file on the demo1 server, the redirects do not work when I access the application from anywhere else then the demo1 server itself.
I've tried to solve this using "absolute" and/or "base" parameter in Grails' redirect(), but if I understand correctly, this is Grails 2+ only and we're using Grails 1.3.4.
Are there other ways to redirect to a specified host?
Am I misusing things?
Thanks,
Bram
If you define grails.serverURL in Config.groovy, redirects with absolute:true will use that value for the URL.
During development i find my self often having to restart my application which in turn results in an extra step of login in manually.
I thought i could add the method call springSercurityService.reauthenticate('myuser') in the bootstrap however i am not sucessfull
Doing the same thing in a controller after the application is started works fine so its is just in the bootstrap that it does not work.
I debugged the code without seeing any obvious errors.
I hit the same issue and how I solved it was to use a bookmarklet (or a custom browser "search engine") that makes it really easy to log back in. With deep linking enabled, it makes it very easy to continue working on the same page. After rebooting the server, just refresh the page and it will redirect you to the login page. Just activate the bookmarklet (or "search engine") and it'll log you in and redirect you back to the page you were working on.
I have a detailed blog post that shows how to get this set up.
If it's just to avoid having to log in on development mode you can set up the interceptUrlMap property. That property would allow you to set up development mode in a way that wouldn't ask you to login.
import grails.plugins.springsecurity.SecurityConfigType
grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
environments {
development {
grails.plugins.springsecurity.interceptUrlMap = [
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
}
}
Another option is to add a servlet filter that will log in the default user if the environment is development.