I am using springSecurityService.
my flow is as followed:
step #1 :springSecurityService should check user & password.
if succeeds,
step #2: check second authentication.
if succeeds,
step #3: build roles and log in.
I tried implementing in many ways but no success, can someone please advise?
Just to clarify, basically what i need id a two-factor authentication.
Thanks!
step 1:
install spring security plugin, for other setting read this
step 2 :
use s2-quickstart , example :
grails s2–quickstart com.yourapp.security User Role RequestMap
step 3 :
configure your first account(User / Role / RequestMap) to login in bootstrap..
read this
then you can try to login with default form by spring security..
in grails 3.0 + , you can read this
so in grails 3.0+, you will get default loginController.groovy and UsernamePasswordAuthenticationFilter.groovy by spring security
but if you use grails 2.0+, you can find loginController.groovy in root of your controller's folder...and you can find out UsernamePasswordAuthenticationFilter.groovy too..but i forget that location..you can search it with tools like Intellij or other..
Related
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
I typed the following code and i got the login sorted.
s2-quickstart com.app User Role UserRole
Now, i want to get the View and Controller for the Login Screen. How can i get it. Should i generate it?
It's suppose to be there in auth/ controller and the action is login.
But i don't even have a auth model class. All what i have is User model class, which has attributes Usernmae, password etc.
2.) After successful login how can i redirect the view?
You are probably using spring-security-core:2.0-RC2, in this plugin version there is no loginController or logoutController in controllers folder like previous version, all about plugin are in target > work > plugins > spring-security-core-2.0-RC2 > spring-security-core-2.0-RC2
There you can find loginController, logoutController and auht view, i order to overwrite auth view, all you need to do is to create in app views directory a new directory and call it just like the plugin view in this case login and inside login a the views auth.gsp and denied.gsp
I hope this can be helpful
About your other question After successful login how can i redirect the view? , grails spring security core has two behaver.
First you can provide a default target it is done by setting grails.plugin.springsecurity.successHandler.defaultTargetUrl = "/someurl
Second and default behaver if someone try to access some url in your app, SSC will intercept the request ask for credentials if user successfully authenticate then user will be taken to that url else SSC will ask again for credentials and so on.
Both behaver can coexist
A simple view example in this repo in github
A simple example how to set defaultTargetUrl in the same repo
i hope it help you
I am trying the common issue of configuring different URLs according to Roles using grails 2.3.3 and spring security spring-security-core:2.0-RC2.
I've found the following posts:
first post and a
modification in a second post http://desmontandojava.blogspot.com/2013/08/grails-tip-different-url-depending-on.html
but none of them work for my version, references didn't work for my version or packages are different now, they are all based on Burt Beckwith excellent presentation about hacking the spring security plugin, but they seem to be outdated, has anyone tried this with a recent version of grails and spring-security-core spring-security-ui?
I also tried the simple version of simply asking in a controller for the role and redirecting but it didn't work either, it had an odd behavior.
This Link worked for me:http://desmontandojava.blogspot.com/2013/08/grails-tip-different-url-depending-on.html
But only after I commented out this line in UrlMappings.groovy
// "/"(controller:"console", action:"myaction")
I was able to accomplish the task, however I had a problem, when logged out, the application was redirected to root and I did not have index.gsp so there was an error, then the only thing I did was add this property to Config.groovy.
grails.plugin.springsecurity.logout.afterLogoutUrl='/login/auth'
I am using the new grails 2.3.4 with Spring Security Core 2.0-RC2 plugin. I have generated the domain objects and got also a user via the Bootstrap.groovy into the db. However, I am wondering where to specify a custom login for my page?
Is it also possible to do the sign up process via the spring security plugin?
I appreciate your answer!
Create a gsp in the following pattern: grails-app/views/login/auth.gsp.
This way the default template is automatically replaced.
I want to change the authentication process that is used by the Acegi - Plugin. It should be a completely customized process. Custom login form + custom auth method.
Obviously there is only little documentation regarding this topic.
In the book The Definitive Guide to Grails it is described for an older version of grails. There the spring/resources.xml is used.
In the new version is a spring/resources.groovy file, where a DSL is used. I don't know how to configure a new AuthenticationManager.
How can I do this?
In respect to the form, you should have a auth.gsp under /grails-wapp/views/login. In respect to authentication, you probably only need to injet a different AuthenticateService in LoginController, which is under /grails-app/controllers/.