I am trying to get more details when I log into my Grails application using Spring Security.
For e.g.:
When I log in using :
http://localhost:8080/XXX/auth/login
I get authentication success and below is the sample response.
{"username":"lalit","roles":["XXX"],"access_token":"something"}
Instead of this, I would also like to return some more user related data like full name.
{"username":"lalit","roles":["XXX"],"access_token":"something","fname":"Lalit Agarwal"}
So, you could see full name also returned as response when I log in.
Note: I have already added a custom field fullName using this : http://grails-plugins.github.io/grails-spring-security-core/guide/userDetailsService.html
The link you noted pretty much outlines exactly what you need to do. You should extend the GormUserDetailsService (or write your own and make sure it implements GrailsUserDetailsService) to make sure that when loadUserByUsername is called, it add the full name to the returned object. Then you just need to add the new bean to your resources.groovy file under the name userDetailsService.
Related
I am using Umbraco 7.2.8. When a new Document of a specific type is saved, I am hooking into the ContentService.Saved event and I want to be able to set the Public Access to only allow a specific member group access to it. Just like I would do using the Gui here.
I see in the documentation here https://our.umbraco.org/documentation/Reference/Management/Services/ContentService There are a couple methods like
.AssignContentPermission(IContent content, char permission, IEnumerable userIds)
and
ReplaceContentPermissions(EntityPermissionSet permissionSet)
which both allow me to pass in a list of userIds users that have access but I am interested in setting the membership groups that have access as well as the Login Page and Error Page. How can I do this?
Used to do it like this. I think it still applies:
Access.ProtectPage(false,nodeIdOfPageToProtect,loginPageNodeId,errorPageNodeId);
Access.AddMembershipRoleToDocument(nodeIdOfPageToProtect,"roleName");
Methods are in umbraco.cms.businesslogic.web so make sure you set this for your page
using umbraco.cms.businesslogic.web;
Does that help?
I am working with Spring Websocket (4.1.4 release) and using #SendToUser for sending messages to the current user. But I've a problem. Ours is a multi-tenant platform where username is not unique, instead a combination of username and tenant id is unique. The DefaultUserSessionRegistry keeps a map from username to a list of session ids:
private final ConcurrentMap<String, Set<String>> userSessionIds = new ConcurrentHashMap<String, Set<String>>();
which would not work in my scenario. So is there a way I can plugin my custom UserSessionRegistry implementation?
After a code search, the issue seems related to this line.
I found that this class is extended by WebSocketMessageBrokerConfigurationSupport, which is extended by a #Configuration class (DelegatingWebSocketMessageBrokerConfiguration), so you could try to extend it by yourself, like in this example:
https://github.com/arawn/overview-of-spring4/blob/master/src/main/java/jco/conference/oxquiz/WebSocketConfig.java
I had no time to verify this, but if your problem is only the UserSessionRegistry implementation, this could be the way of overriding that #Bean method.
Update:
After digging a bit more, I found the real entry point to the whole flow: search for the DefaultHandshakeHandler class, having the determineUser method (I cannot add more links because of my low score)
Is there a way to add my own auto generated field to domain like id and version , If yes the please guide me . provide me URL form where i can read and under stand the core concept of Grails and Domain specific language .
use install-template in the app to get all default templates:
grails install-template
after which you would be able to see /src/templates (newly created)
Modify DomainClass.groovy under /src/templates/artifacts as below:
#artifact.package#class #artifact.name# {
//according to your need
Long myId
Integer myVersion
static constraints = {
}
}
Done!!!!
Henceforth, when create-domain-class command is used to create a domain class, those fields will be auto populated.
I am not sure I am understanding your question correctly but here is the link to the web features of Grails documentation. The "Link Generation API" may be something you are asking after.
If you would like to manage ID and version than using Spring Security (plugin or full docs) or SQL features may be the direction you want to read more about.
EDIT: Try this Stackoverflow question and answer on using inheritance. Seems to be very similar to what you are asking.
You would need to write an AST transform to inject the fields you want to add automatically. The one that injects ‘id’ and ‘version’ can be found here as an example:
https://github.com/grails/grails-core/blob/master/grails-core/src/main/groovy/org/codehaus/groovy/grails/compiler/injection/DefaultGrailsDomainClassInjector.java
You would then need to write a GORM event listener to automatically update the values of these properties. See
https://github.com/grails/grails-data-mapping/blob/master/grails-datastore-gorm/src/main/groovy/org/grails/datastore/gorm/events/AutoTimestampEventListener.java
For an example of the one that updates the dateCreated/lastUpdated properties.
These can both be written in a separate Gradle/Maven project which you then reference in the dependencies of your BuildConfig.groovy file.
I am authenticating using LDAP, and everything works fine for users within a specific domain. But I'm having difficulty understanding how I can authenticate users that are under a second domain. My current configuration shown below specifies the first domain in the user-search-base. I removed that parameter, in hopes that it would search all domains, but that didn't work. I also tried specifying the domain as part of the user name when prompted, such as domain\user, but this didn't work either.
<security:authentication-manager alias="authenticationManager">
<security:ldap-authentication-provider
user-search-filter="(samaccountname={0})"
user-search-base="dc=domain,dc=company,dc=com"
user-context-mapper-ref="userContextMapper" >
</security:ldap-authentication-provider>
</security:authentication-manager>
<security:ldap-server
url="ldap://some.url.com:3000"
manager-dn="CN=USER1,OU=FacMgr,OU=FAC,OU=Exchange,dc=domain,dc=company,dc=com"
manager-password="xxxx"/>
Will I need to create a custom search, and if so, can someone provide an example in this context?
It appears as though you're using Active Directory, in which case I wonder why you're not using the more basic ActiveDirectoryLdapAuthenticationProvider class.
At any rate, you should be able to accomplish what you need by extending either LdapAuthenticationProvider or ActiveDirectoryLdapAuthenticationProvider, and passing the appropriate domain to the superclass' method.
Create a constructor which accepts two different LdapAuthenticator objects, and add a second 'try' statement in the doAuthentication method's catch (UsernameNotFoundException notFound) statement (after the check against bad credentials). Use whatever approach you like to get the getAuthenticator method to try the second authenticator if the first one fails.
This approach should work, but if both domains have a username of jsmith, but the user in question resides on the second, you may encounter problems -- that is, this is not a particularly good solution, but it is a solution.
To build this all up properly, use a custom authentication filter (extend the UsernamePasswordAuthenticationFilter), and have the LdapAuthenticationProvider.getAuthenticator() method identify the domain from the value passed by the filter (in your custom login form).
You may need different manager accounts, but this is hopefully enough for you to go on.
The trick to making this work is to use ActiveDirectoryLdapAuthenticationProvider. To do this, just make the following changes:
In resources.groovy:
// Domain 1
ldapAuthProvider1(ActiveDirectoryLdapAuthenticationProvider,
"mydomain.com",
"ldap://mydomain.com/"
)
// Domain 2
ldapAuthProvider2(ActiveDirectoryLdapAuthenticationProvider,
"mydomain2.com",
"ldap://mydomain2.com/"
)
In Config.groovy:
grails.plugin.springsecurity.providerNames = ['ldapAuthProvider1', 'ldapAuthProvider2']
This is all the code you need. You can pretty much remove all other grails.plugin.springsecurity.ldap.* settings in Config.groovy as they don't apply to this AD setup.
Documentation:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ldap-active-directory
in our new software project, we have the following requirement: A webpage shall show a set of data. This data shall be editable by some users (assigned to roles, i.e. manager), and only viewable by others. The tricky part is described by an example:
A User-page consists of address data and account information. The addess data shall be editable by the user and the manager and viewable by all users, while account information shall only be viewable by the actual user and the manager.
I have read a lot of information about SpringSecurity. It provides a very good framework to gran permissions on urls and methods and even domain classes. But what I need is field level ACLs. At least, that's what I think at the moment.
So, the question is: How to solve this problem using Grails?
Thanks a lot in advance,
Regards Daniel
Spring Security (Acegi Plugin) is definitely the way to go with Grails.
There is a taglib you can use that will allow a page to be different for different roles such as the following:
<g:ifUserHasRole roles="ROLE_ADMIN">
html code for extra fields
</g:ifUserHasRole>
Me, I'd encode it on the domain class, emulating the way GORM has you annotate the domain classes (static access = [field1: "ROLE_USER", field2: "ROLE_ADMIN,ROLE_USER"] as an example). Then build a method your controller could use to redact them for a given user. That method could use the domain class's annotations to decide how to redact it. Then, metaprogram it onto each of the domain classes the way plugins do.
Similarly, write the opposite method to restrict data bindings of params into the domain class, write your own data binding utility method, then metaprogram it onto each domain class as well.
Then you can just use instance.redact(user) or instance.bindData(params, user) to do what you want, and it's practically declarative syntax.
We have a similar situation and use both the ifUserHasRole tag in the gsp to drive the appropriate presentation and the we have a filter that enforces the rules based on the action being called. For example, on user controller we would only allow the management roles to call save action, or if the user.id is the same as the session.user.id. This seemed to be the best option for our situation.
What about creating an ACL class like this:
class ACL(val entry: Entry*) {
def isAccessAllowed(subject: String, permission: String): Boolean = ...
}
class Entry(val subject: String, val permission: String*)
usage:
new ACL(
new Entry("dave", "read", "write"),
new Entry("linda", "read")
)
(This example is in Scala, because I found it more expressive in this case, but it should be easy to transfer it to Groovy.)
You would then connect an ACL object with the object to be protected.