In my Grails project i'm using spring core plugin , i want to force the browser to use HTTPS while login , i found this setting :
grails.plugin.springsecurity.auth.forceHttps = true
but when i put it in the Config file,but when i try to access an action that needs to be logged in first rather directing my to the login page using HTTPS it shows me
This page can't be displayed
as shown in the image attached image anything i'm missing ?
There are two settings with the Grails spring security plugin to use here. the secure channel definition below says that all URLs for the application must use HTTPS and thus will automatically redirect to HTTPS. You can change this definition to suit your needs.
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.secureChannel.definition = [
'/**': 'REQUIRES_SECURE_CHANNEL'
]
Related
I'm using spring-security-core:2.0-RC5 Grails plugin , i searched on how to force the browser to use HTTPS on specific application's pages i found the below configuration :
grails.plugin.springsecurity.auth.forceHttps = true
grails.plugin.springsecurity.secureChannel.definition = [
'/login/**': 'REQUIRES_SECURE_CHANNEL'
]
when i apply this in the config, and try access the login page, it shows me this page can't be displayed , and the protocol is still HTTP ,i know there is a way to run the whole application onHTTPS by using grails run-app -https but what i need to achieve is to force some pages to use HTTPS , is there a way to make this ?
In Grails, I'm using Spring Security Core plugin and I have 2 questions:
Is there a way to make the browser use HTTPS in specific URLs rather HTTP? I'm using this in Config file, but it's not working: grails.plugin.springsecurity.auth.forceHttps = true
How after login the user will go back to the original requested page, for example, the user is trying to access "securedPage" and this needs to be logged in first to it's redirect to the login page so after login I want the user to go back to that page.
What about trying this?
grails run-app -https // with HTTPS
You can also try using:
grails.plugins.springsecurity.secureChannel.definition = [
'/path/**': 'REQUIRES_SECURE_CHANNEL'
]
or try using this plugin:
https://grails.org/plugin/force-ssl
I integrated the spring-security-oauth plugin into my app, and the login over FB or Google seems to be working fine.
The problem I have now, is that the authentication expires along with the tomcat session, which is not what it should be. I want the OAuth-authentication to be persistent on client's machine. Some sort of spring security's remember-me functionality is needed.
Is there a possibility to activate it out-of-box?
TIA
I have this setup in my application. What you want to do is enable rememberme configuration:
http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/single.html#rememberMeCookie
run the s2-create-persistent-token script
In config file:
rememberMe.alwaysRemember = true // by default it is false
rememberMe.persistent = true // by default it is off
I don't have my application on hand but if you need exact configs, let me know and I'll post it up later for you.
so, after doing some research and talking the plugin creator here http://github.com/enr/grails-spring-security-oauth/issues/9, the solution was found. It will be available in the upcoming release, or you can do it yourself
During development i find my self often having to restart my application which in turn results in an extra step of login in manually.
I thought i could add the method call springSercurityService.reauthenticate('myuser') in the bootstrap however i am not sucessfull
Doing the same thing in a controller after the application is started works fine so its is just in the bootstrap that it does not work.
I debugged the code without seeing any obvious errors.
I hit the same issue and how I solved it was to use a bookmarklet (or a custom browser "search engine") that makes it really easy to log back in. With deep linking enabled, it makes it very easy to continue working on the same page. After rebooting the server, just refresh the page and it will redirect you to the login page. Just activate the bookmarklet (or "search engine") and it'll log you in and redirect you back to the page you were working on.
I have a detailed blog post that shows how to get this set up.
If it's just to avoid having to log in on development mode you can set up the interceptUrlMap property. That property would allow you to set up development mode in a way that wouldn't ask you to login.
import grails.plugins.springsecurity.SecurityConfigType
grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
environments {
development {
grails.plugins.springsecurity.interceptUrlMap = [
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
}
}
Another option is to add a servlet filter that will log in the default user if the environment is development.
I have a grails project. Right now, the user can access it either with HTTP or HTTPS. I would like to require that they can only access it through HTTPS. any ideas? I do have spring security core installed, if that can be of help
thanks
jason
Spring's core supports that:
grails.plugins.springsecurity.secureChannel.definition = [
'/path/**': 'REQUIRES_SECURE_CHANNEL'
]