I am using spring security core plugin in my grails application. but now I have a custom requirement.
I need to re-authenticate the user for some secret screens each time before opening these, even user is signed in already.
On re-authentication auth screen, I also want to add a secret pin code after username and password.
What will be the best way to implement this or is there any plugin available with this functionality ?
As far as I know there isn't any plugin that would address this for you. However, Glen Smith posted a few years ago how to implement your own custom authentication for specific URIs using the Grails Spring Security core plugin.
What he outlines there is very similar to what you will need to do:
Create a custom authentication object to hold the request.
Create a custom authentication provider to authenticate the request.
Create a custom security filter to apply to your URIs.
You should also note Burt's comment on the mentioned post about how to register custom authentication filters. This eliminates some of the code Glen provided.
Your implementation will be slightly more complex since you will need an additional filter to catch an authentication failure and route the user to the special login page. This is where things get quite tricky, but with the information above you should be able to get started and ask questions as you hit roadblocks.
Related
We have a legacy Identity Provider which only supports two authentication mechanisms:
Oauth 1.0.
A custom service I can call with a user and password and
obtain a session token which then has to be placed in a custom
header of every other call to the IdP —to get user info and such.
I’d like to know whether there’s any plugin that will allow configuring Jenkins to delegate authentication to such an IdP through either mechanism. I'm starting to look at the Oauth Credentials Plugin, but it doesn't look like it'll do the trick.
By itself, this library has no user visible changes, it is intended only to surface new extension points on top of which OAuth providers may surface their own OAuth2Credentials implementations.
If not, then what are my options here? I’m thinking of writing a plugin to implement one of these. Is there a good guide I can use? Or an existing plugin I should extend?
As it turns out —and just in case anyone else is wondering how to do this— the Oauth Credentials Plugin is not for delegating Jenkins authentication to an Oauth Identity Provider. It's for creating Jenkins credentials which can then be used by jobs.
At this point in time, there's no plugin which will allow you to delegate Jenkins authentication to an identity providier exposing the deprecated Oauth 1.0 spec. You'll have to implement your own. The right way to do this is to extend this class:
hudson.security.SecurityRealm
I started doing this by following the examples set by Github's and Google's Oauth 2.0 plugins. But these both take very different approaches to the same problem — which filled my head with questions. So I did some more research and found this nice article which explains the basics and also points to a bare bones security realm example of how to do this. It helped me a lot. I hope it'll help others as well.
I have some question that depends on initegration Spring Security 3 and CAS technology.
I know that SS gives me abilities to setup CAS auth with some providers and filters. But I didnt see examples that describe how can I use my custom login form or page.
CAS gives options to setup custom design of login page, but this solution isnt for me.
I need to implement pop-up login form in my applications. This is requirement and I can`t change anything.
So, my question is:
How can I integrate Spring Security and CAS with my custom login form/page?
Give me some examples or thematic links about this question, please.
Or maybe I mustn`t use CAS. Maybe some OpenId techonology?
Thanks!
One of basic principles of CAS: actual application does not know anything about user password. So if you absolutely want to have login page with password then consider using some other technology. For example if you can add for each your application a sub domain then authentication based on domain coockie will be good enough (consider Google with docs.google.com, mail.google.com, etc...)
My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.
I mean need different:
Login URL
Login out url
session time url
authentication provider
error page
css
for different entry point.
Is this possible?
From 3.1.0 (which is currently beta) it will support multiple <http> elements in the namespace.
So short answer:
In 3.1.x yes.
In 3.0.5.RELEASE no.
Longer aswer:
Here is additional info, check the links in the comments also.
I had a similar problem once, since I had multiple entry points.
A good way IMO would be to make a new login page which decides which login page to redirect to or even calls the logic of the other entry points. Then you can point spring to the new page.
I'm pretty sure this can be done inside the filter chain, but I wouldn't recommend it since you will need a lot of manual coding and bean definitions. Generally I don't think 3.0.5 was designed for multiple entry points.
With multiple <http../> elements, you can achieve most of what you want but the authentication manager is going to be common and that means authentication providers are going to be common. See the issue faced by #David Parks in the post Spring Security 3.1.0.RC1: With multiple elements why can I only register one authentication manager?.
You can see my answers to similar questions such as Configuring Spring Security 3.x to have multiple entry points and Authenticate user using external webservice in grails to develop custom code to execute entry point specific authentication providers. This can be implemented in 3.0.5 as well.
You can implement solution in 3.0.5 without multiple <http../> elements but you will be need to develop custom code to handle logout and error pages.
There is org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint
since 3.0.2.
It might help.
Ok, second try here.. hoping I phrase my question better to get a few responses.
I am currently working on a small project developed in Grails with the Spring Security plugin to handle account management and security. I want to intercept the login function and add some custom code. The goal is to have 2 options available to the end user for registration, the default spring security/application option and the other using facebook connect.
I did notice and read up on the facebook connect features in Spring Security but to me, it doesnt seem to fit my requirements exactly. I cannot assign permissions/roles to these facebook connect users if I were to use the default facebook connect features in Spring Security. Anyone else run into this?
How can I intercept the login function? There is an auth method in Login but thats not exactly where I think I need to inject my own custom business logic. Any help with this would be most appreciated.