We are using grails 2.3.5 app with mongodb (no hibernate installed). I had forked & modified grails database session plugin with HQL queries to use simple queries so as to support mongodb.
Then when I'm trying to login via ajax, it fails. By fail, I mean that, session in created & persisted to the database but not able to login. When I enabled to logs, I saw cookies is present in the request path /j_spring_security_check after authentication but is not available after redirect i.e. in path /login/ajaxSuccess which causing authentication to be treated as false & a new session is created.
Our URL mapping config looks like this: (Does not matters)
"/$controller/$action?/$id?(.$format)?" {
constraints {
}
}
"/v2/$customController/action/$customAction" {
controller = {
return params.customController?.toUpperCamelCase()
}
action = {
return params.customAction?.toUpperCamelCase()
}
}
"/v2/$resource/$resourceId?/$subResource?/$subResourceId?" {
controller = {
if (params.subResource) {
return params.subResource.toUpperCamelCase()
}
return params.resource.toUpperCamelCase()
}
action = {
Map actionMethodMap = [GET: params.resourceId ? "show" : "index", POST: "save", PUT: "update", DELETE: "delete"]
return actionMethodMap[request.method.toUpperCase()]
}
id = {
if (params.subResource && params.subResourceId) {
return params.subResourceId
}
return params.resourceId
}
}
Our configuration looks like this for spring security:
grails.plugins.springsecurity.authority.className = 'com.test.Role'
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.test.UserRole'
grails.plugins.springsecurity.useSessionFixationPrevention = true
//grails.plugins.springsecurity.redirectStrategy.contextRelative = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = "/app/ng/index.html"
grails.plugins.springsecurity.auth.loginFormUrl = "/app/ng/index.html#/auth/signin"
grails.plugins.springsecurity.auth.ajaxLoginFormUrl = "/v2/login/action/auth-ajax"
grails.plugins.springsecurity.ui.encodePassword = false
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
'/j_spring_security_switch_user': ['ROLE_ADMIN'],
'/ck/standard/filemanager': ['ROLE_ADMIN'],
'/ck/standard/uploader': ['ROLE_ADMIN'],
'/ck/ofm/filemanager': ['ROLE_ADMIN'],
'/ck/ofm/filetree': ['ROLE_ADMIN'],
'/quartz/**': ["ROLE_ADMIN"],
'/**' : ['IS_AUTHENTICATED_ANONYMOUSLY']
]
Other than this, grails.serverURL config is commented for all environments to support wildcard subdomain.
Using:
Spring Security Core plugin version 1.2.7.3
Cookie plugin version 0.51
Webxml plugin version 1.4.1
Mongodb plugin version 2.0.1
Related
My web application created using Grails 2.4.4 with shiro:1.2.1 and it's working fine. In my application I've created one user with limited permissions called xyzUser.
Now I've a domain, username, password of the active directory. And my requirement is to allow the request from the same and bypass login page and provide all the access of xyzUser.
For that I've tried
org.grails.plugins:ldap:0.8.2
plugins and add following configuration in config.groovy (https://grails.org/plugin/ldap)
ldap {
directories {
directory1 {
url = "ldap://demo.myDomain.in"
base = "ou=demo,dc=myDomain.in"
userDn = "uid=Username,ou=demo,dc=myDomain.in"
password = "Password"
searchControls {
countLimit = 40
timeLimit = 600
searchScope = "subtree"
}
}
}
typemappings = [
my.app.MyTypeMappings
]
}
Now I can't understand that what to do next to fulfill my requirements...
In my Grails 2.5.1 application , i was using a filter to use HTTPS with some controllers , everything was working fine but suddenly this filter is not working any more .
Filter :
def filters = {
all(controller:'checkout', action:'onlinePayment') {
before = {
if (!request.isSecure() /*&& !Environment.isDevelopmentMode()*/) {
def url = "https://" + request.serverName+':8443' + request.forwardURI
println "in filter"
redirect(url: url, permanent: true)
return false
}
}
after = { Map model ->
}
afterView = { Exception e ->
}
}
}
Here is the checkout page :
Also i found that no requests came to the filter as in filter was not printed out, is there something i need to check to fix this issue rather than this filter
I am new to Grails and I am working on an exisiting application. I am trying to force the anyone using our website to allways be on https. I added the Spring Security Core plugin
//BuildConfig.groovy
compile "org.grails.plugins:spring-security-core:2.0.0"
and I just added
///Config.groovy
grails.plugin.springsecurity.secureChannel.definition = [
'/**': 'REQUIRES_SECURE_CHANNEL'
When I try to go on localhost:8080/myapp, it redirects me to https://localhost:8443/myapp, but I get a "This webpage has a redirect loop ERR_TOO_MANY_REDIRECTS" message.
I added print statements in my SecurityFilters.groovy, and I can see the infinite loop going
baseFilter(controller: "*", action: "*")
{
before = {
println "baseFilter"
// If auth controller then ok to continue
if (controllerName.equals("auth"))
{
return true;
}
// If no subject (user) and not auth controller then user must authenticate
if (!session.subject && !(controllerName.equals("auth")))
{
params.targetUri = request.forwardURI - request.contextPath
if (params.action=="profile") {
params.targetUri=params.targetUri + "?page=" + params?.page
}
else if (params.action=="results") {
params.targetUri="/home"
}
println "baseFilter: Redirecting: PARAMS = $params"
redirect(controller:'auth', action:'login', params: params)
return false;
}
}
}
It's just:
baseFilter
baseFilter: Redirecting: PARAMS = [action:auth, format:null, controller:login, targetUri:/login/auth]
Over and over.
I've tried many other things I found on Stackoverflow and other websites, but they either do not work, or are too complicated.
Thank you.
Ok, so this isn't the answer to the question, but I managed to achieve what I was trying to do, which was to force SLL, and redirect any attempts to use http. I did this by using the shiro plugin, which was already being used by my application. In the Buildconfig.groovy, just add compile ":shiro:1.2.1" to you plugins. In the config.groovy I added the following properties:
security {
shiro {
filter {
loginUrl = "/login"
successUrl = "/"
unauthorizedUrl = "/unauthorized"
filterChainDefinitions = """
/** = ssl[443]
"""
}
}
}
You can modify your filterChainDefinitions to only force ssl on certain urls. I just used /** because I always want SSL.
I have the following code in my grails app:
def list () {
def roles = principal.authorities*.authority
def page = roles.contains("ROLE_ADMIN")? "allcolors": "usercolors"
if (params.sort == "latest" || params.sort == null) {
logger.debug("came in if");
render view: page, model: [colorlist: colorService.colorList()]
}
else
render view: page, model: [colorlist: colorService.colorListForUser()]
}
When I run my application with grails run-app the above code works fine. However, when I deploy the war file created by grails test war target/myapp.war the above code does not work and errors with "Page not found" even though the debug statement came in if still gets printed.
I've tried to run this app in development with grails test run-app as well but even then the above does not work. Interestingly, when I run the app in prod mode (grails prod run-app) everything works fine as well. So it is certainly something to do with the test environment
Also, to ensure there aren't any data discrepancies I've changed dev test and prod to point at the same development database.
Could it be that my app has some special setting for test environment that I'm failing to see ...which would cause "render" to not work?
My environment looks like this:
environments {
development {
grails.logging.jul.usebridge = true
}
test {
grails.logging.jul.usebridge = true
}
production {
grails.logging.jul.usebridge = false
}
}
And DB config looks like this:
environments {
development {
dataSource {
dbCreate = "update" // one of 'create', 'create-drop', 'update', 'validate', ''
url = "jdbc:mysql://localhost/myapp?useUnicode=yes&zeroDateTimeBehavior=convertToNull&characterEncoding=UTF-8"
username = "root"
password = ""
}
hibernate {
}
}
test {
dataSource {
dbCreate =
url = "jdbc:mysql://localhost/myapp?useUnicode=yes&zeroDateTimeBehavior=convertToNull&characterEncoding=UTF-8"
username = "root"
password = ""
properties {
}
hibernate {
}
}
}
production {
dataSource {
dbCreate = "create-drop"
url = "jdbc:mysql://localhost/myapp?useUnicode=yes&zeroDateTimeBehavior=convertToNull&characterEncoding=UTF-8"
username = "root"
password = ""
}
}
}
How can I resolve this or troubleshoot it further??
run-app runs with the default "development" data source, which is not to be confused with the "test" environment. Check your Config.groovy (edit: and DataSource.groovy) and make sure you have test { } configured within your environments.
More info can be found in the grails documentation here:
http://www.grails.org/Environments
Using the Grails OAuth plugin requires that an absolute callback URL be provided in Config.groovy. However I have different serverURLs for each environment.
Is there a way to get the current environment from inside Config.groovy, here's an example of what I want to do:
def devServerUrl = 'http://dev.example.com'
def prodServerUrl = 'http://prod.example.com'
def currentServerUrl = grailsApplication.metadata.environment == 'development' ? devServerUrl : prodServerUrl;
environments {
development {
grails {
serverURL = devServerUrl
}
}
production {
grails {
serverURL = prodServerUrl
}
}
}
oauth {
providers {
runkeeper {
api = RunKeeperApi
key = 'key'
secret = 'secret'
callback = currentServerUrl + '/oauth/runkeeper/callback'
}
}
}
Any ideas? Thanks!
Try this:
def currentServerUrl = Environment.current.name == 'development' ? devServerUrl : prodServerUrl;
I think it is cleaner to set different grails.serverURL for each environment and then do:
callback = "${grails.serverURL}/oauth/runkeeper/callback"