I'm using VAADIN with SpringBoot based on https://vaadin.com/spring . Things are working fine except of authentication. I'm using SpringBoot based SpringSecurity java config which works fine and SecurityContextHolder.getContext().getAuthentication() returns current user for me in VaadinUI. My config is pretty straighforward here:
http.authorizeRequests()
.antMatchers("/*").authenticated().and().httpBasic()
The problem is that SecurityContextHolder.getContext().getAuthentication() returns correct value only for the first request when VaadinUI is displayed. Then any subsequent Vaadin request (e.g. button click) returns null for SecurityContextHolder.getContext().getAuthentication() . Any idea how to make it work as expected?
This is because of the way Vaadin handles the requests. It does not use DispatcherServlet, and you probably need to use RequestContextListener (or RequestContextFilter) to enable request and session scopes.
Have a look discussion about a related topic here.
Make sure that your #Configuration class that extends WebSecurityConfigurerAdapter is annotated with #EnableWebSecurity.
Related
The Orbeon Proxy Portlet allows form selection via URL parameters. It would be preferable if the parameters were not included in the URL. I thought I might be able to use a public render parameter as described in the Liferay documentation but it looks like the proxy portlet isn't configured that way.
Looking at OrbeonProxyPortlet.scala I see this method is used to retrieve the URL parameters:
private def portalQuery(request: PortletRequest) =
collectByErasedType[String](request.getAttribute("javax.servlet.forward.query_string")) map decodeSimpleQuery getOrElse Nil
Could this method be modified to combine that map with the map returned by PorletRenderRequest.getParameterMap() or PorletRenderRequest.getPublicParameterMap()?
Or perhaps there could be another init-param like enable-url-parameters, for example, enable-inter-portlet-parameters?
This would also require the following configuration in the portlet.xml:
<supported-public-render-parameter>orbeon-app</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-form</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-document</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-page</supported-public-render-parameter>
As you noticed, currently this is not implemented, and I don't think there is a way without modifying the code of OrbeonProxyPortlet.scala. But yes, it would make sense to make this work, and in fact the option was considered in issue #1850.
I have a project where I've integrated Vaadin with Spring Boot. One of the dependency that I use is spring-boot-starter-security.
When I invoke the url http://localhost:8080/appXYZ/ it redirects me to http://localhost:8080/appXYZ/login. I'm expecting it to go to my LoginUI class with has the annotation #SpringUI("/login"). It does not, I'm redirected to some other page which has a username/password form.
pom.xml: https://gist.github.com/anonymous/4cc27b3d9e59f67839bf
Application.java (which starts the Spring Boot app): https://gist.github.com/anonymous/6748b81d26b486dc617c
LoginUI (where I'm trying to go): https://gist.github.com/anonymous/a98f5099d5daa27fb391
Just did a quick experiment where I commented out all the Spring Security stuff.
When I tried the url http://localhost:8080/appXYZ/login, I did get to the LoginUI page.
Just have to fix the issues with Spring Security. But the #SpringUI("/login") redirect is working.
You need to also overwrite the configure(HttpSecurity http) method in your MySecurityConfigurer and specify a login page for Spring to redirect to when the user is not authenticated and is trying to access for example the /authorized path, while allowing access for all users to /login and other adjacent resources (/VAADIN, /UIDL, etc).
The following snippet is extracted from my answer to your other question as they are in close relation:
I changed a bit the ApplicationSecurity.configure(HttpSecurity http) method to http.csrf().disable().authorizeRequests().anyRequest().permitAll(); and I was able to proceed to the second screen. Now this may not be that safe from what I gathered, but it should give you a starting point.
Note: You may already know this but if you don't and it saves you some time I'm glad to share this as well, because it took me a while to figure it out. Depending on how you will setup your app security you may end up changing that method to something like below.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().
exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).accessDeniedPage("/accessDenied")
.and().authorizeRequests()
.antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**","/login", "/login/**", "/error/**", "/accessDenied/**").permitAll()
.antMatchers("/authorized", "/**").fullyAuthenticated();
}
We're using CXF in Grails to call to another web service via SOAP. The service side has additional elements, but no changes to existing ones. I'd like the client side side to be able to work with the new service, simply ignoring the new fields and parsing the ones it already was. Is there some flag or something we can set to tell it to ignore extra elements/attributes/fields?
I found some posts that said to set "set-jaxb-validation-event-handler" to "false" but I have tried to do that in Config.groovy but it's still not working.
After more googling and experimentation I figured it out:
cxf {
...
client {
clientName {
// ...
requestContext = ['set-jaxb-validation-event-handler': false]
I noticed that grails applications, as most other java based web applications, always creates a session, even when it is not used.
Is it possible to set the JSESSIONID cookie only when needed, eg. when someone tries to log in?
The generation of a session cookie can be disabled by adding the following page directive:
<%# page session="false" %>
I'm not sure what version of grails was being used above, but I was running into a similar issue in a large application. My application was split between UI/gsp and other Controllers that served pure json/xml without a view. The UI portion was supposed to be the only part that used sessions, but the services were also returning JSessionId.
Because the application was large, in order to troubleshoot, I created new applications with grails 1.3.7 and 2.2.1, with a basic controller:
class FooController {
static defaultAction = "lookatme"
def lookatme = {render(view:'lookatme')}
def hallo = {render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
def somestate = {session.foo = "bar"; render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
}
When I run this on tomcat, neither lookatme or hallo returns a JSessionId. The action somestate does. After going back through our code, we found places (some filters, for example) that were attempting to access session when they shouldn't.
If your code is returning a session via JSessionId cookies, and you don't think it should, ensure there is no code used within that action (or filters) which access session (or flash?).
I would like to be able to log the requests that my app receives that are unauthorized. Because the Shiro plugin uses an HTTP redirect to send the user to auth/unauthorized the request object is a fresh one and I can't get the original URL; controller/action name; or request parameters from it.
Is there a way to determine either the original url, or the controller and action names (and request params if possible) inside the AuthController unauthorized action?
I am looking at http://plugins.grails.org/grails-shiro/tags/RELEASE_1_1_3/ShiroGrailsPlugin.groovy as a reference of the plugin source.
Details:
Grails 1.3.7
Shiro Grails plugin 1.1.3
I had the same problem... my solution is not perfect:
a browser sends the so called referer in one of the headers which you can get through
request?.getHeader('Referer')
But the referer is nothing you really can rely on -- but most of the browsers send it.
Another solution could be the filter: try to write the current url to another variable before you call accessControl() in ShiroSecurityFilters.groovy. You can get the current URL through request.forwardURI.
Update: just verified my last assumption - this seems the cleanest solution to me:
In ShiroSecurityFilters.groovy, replace
// Access control by convention.
accessControl()
with
// Access control by convention.
if (!accessControl()) {
session.deniedUrl = request.forwardURI
return false
}
which enables you to access the url as session.deniedUrl in your auth/unauthorized controller.