My Grails app uses the Spring Security plugin. Whenever a user successfully logs in I want to:
store something in the session
redirect them to a custom page (depending on their role)
I need to handle logout events similarly, which was pretty straightforward because the plugin provides a bean named logoutSuccessHandler that can be overriden. I was hoping to similarly find a bean named loginSuccessHandler, but no such luck.
I read the page in the plugin's docs about event handling, but neither of the event handling mechanisms appears to give me access to the current request or session.
If you want to do some stuff upon successful login. You can listen to InteractiveAuthenticationSuccessEvent
class AuthenticationSuccessEventListener implements
ApplicationListener<InteractiveAuthenticationSuccessEvent> {
#Override
public void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
.......do some stuff here
}
}
And then register AuthenticationSuccessEventListener as a spring bean in resources.groovy
You can do whatever you want here, however you wont be able to do redirect from listener.
Here's another similar question
Add a config parameter:
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/myLogin/handleSuccessLogin'
Then add your custom login-handling in the action that handles this URL
class MyLoginController {
def springSecurityService
def handleSuccessLogin() {
session.foo = 'bar'
if (springSecurityService.currentUser.username == 'bob') {
redirect action: 'bobLogin'
} else {
redirect action: 'defaultLogin'
}
}
def bobLogin() {
// bob's login handler
}
def defaultLogin() {
// default login handler
}
}
I recently used this in a project for logging in. Its kind of a hack but works for me. I'm using version 1.2.7.3 of the plugin.
def auth() {
def config = SpringSecurityUtils.securityConfig
if (springSecurityService.isLoggedIn()) {
def user = User.get(principal.id)
def roles = user.getAuthorities()
def admin_role = Role.findByAuthority("ROLE_ADMIN")
//this user is not admin
if(!roles.contains(admin_role)){
//perform redirect to appropriate page
}
redirect uri: config.successHandler.defaultTargetUrl
//log.info(getPrincipal().username + "logged in at :"+new Date())
return
}
String view = 'auth'
String postUrl = "${request.contextPath}${config.apf.filterProcessesUrl}"
render view: view, model: [postUrl: postUrl,
rememberMeParameter: config.rememberMe.parameter]
}
For logging out I used a Logout controller, performed some action before redirecting to the logout handler:
class LogoutController {
/**
* Index action. Redirects to the Spring security logout uri.
*/
def index = {
// perform some action here
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl
}
}
Related
When I used #RequiresPermissions I got cannot resolve symbol 'RequiresPermissions' error. I already have imported org.apache.shiro.authz.annotation.RequiresPermissions.
Annotations are used as #RequiresPermissions("module:books:list")
My authorization class
class AuthController {
def shiroSecurityManager
def index = { redirect(action: "login", params: params) }
def login = {
return [ username: params.username, rememberMe: (params.rememberMe != null), targetUri: params.targetUri ]
}
def signIn = {
def authToken = new UsernamePasswordToken(params.username, params.password as String)
// Support for "remember me"
if (params.rememberMe) {
authToken.rememberMe = true
}
// If a controller redirected to this page, redirect back
// to it. Otherwise redirect to the root URI.
def targetUri = params.targetUri ?: "/"
// Handle requests saved by Shiro filters.
SavedRequest savedRequest = WebUtils.getSavedRequest(request)
if (savedRequest) {
targetUri = savedRequest.requestURI - request.contextPath
if (savedRequest.queryString) targetUri = targetUri + '?' + savedRequest.queryString
}
try{
// Perform the actual login. An AuthenticationException
// will be thrown if the username is unrecognised or the
// password is incorrect.
SecurityUtils.subject.login(authToken)
log.info "Redirecting to '${targetUri}'."
redirect(uri: targetUri)
}
catch (AuthenticationException ex){
// Authentication failed, so display the appropriate message
// on the login page.
log.info "Authentication failure for user '${params.username}'."
flash.message = message(code: "login.failed")
// Keep the username and "remember me" setting so that the
// user doesn't have to enter them again.
def m = [ username: params.username ]
if (params.rememberMe) {
m["rememberMe"] = true
}
// Remember the target URI too.
if (params.targetUri) {
m["targetUri"] = params.targetUri
}
// Now redirect back to the login page.
redirect(action: "login", params: m)
}
}
def signOut = {
// Log the user out of the application.
SecurityUtils.subject?.logout()
webRequest.getCurrentRequest().session = null
// For now, redirect back to the home page.
redirect(uri: "/")
}
def unauthorized = {
render "You do not have permission to access this page."
}
}
My application runs but when I login by using user that I have set, it directly sends me to unauthorized page. I have allowed some permissions to the user.
If you look at the Javadoc for that annotation (or the source) you'll see that it's allowed to be assigned to types (class-level) and methods (#Target(value={TYPE,METHOD})). You are defining your controller actions as closures, which is still supported in Grails 2.0+ but methods are preferred now. You cannot use that annotation on closures, since they are not methods even though Grails and Groovy let you use them like methods. If the Target annotation included FIELD in addition to the other types it would work, but it doesn't because the Shiro library doesn't have direct support for closures in Grails controllers.
So change all of your actions from closures to methods, e.g.
def index() { redirect(action: "login", params: params) }
def login() {
...
}
....
and then you can annotate them.
I have a Grails application with Spring Security implemented (CAS). However, after I hit the logout button, I am not logged out. I have the LogoutController, with following code:
class LogoutController {
def index = {
println "IN LOGOUT CONTROLLER TRYING TO LOGOUT"
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'
}
def accessDenied = {
}
}
And in my Config.groovy file, I have:
grails.plugins.springsecurity.logout.afterLogoutUrl = 'https://login.test.com/cas/logout'
The code for my GSP page is
<g:link controller='Logout'>Logout</g:link>
However, when I click the logout button I get redirected, but not fully logged out. Any ideas on what I am doing wrong?
Have you tried call session.invalidate() direct in the controller index method?
class LogoutController {
def index = {
println "IN LOGOUT CONTROLLER TRYING TO LOGOUT"
session.invalidate()
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl
}
}
Cheers
<g:link controller='Logout'>Logout</g:link>
def index = {
logoutProcessService.process(params)
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUr
}
I have integrated Spring security core plugin in my Grails application.
grails.plugins.springsecurity.successHandler.defaultTargetUrl = "/user/home"
This is what I have done to set default home page after successful login. But I would like to have different home page depending upon user roles
Currently I have 2 user roles
1)"ROLE_ADMIN"
2)"ROLE_USER"
How would I implement this?
One quick way would be to do the logic in the controller action. For example, the home action could render a different view based on role, e.g.:
import grails.plugin.springsecurity.annotation.Secured
class UserController {
def home() {
String view
if (SpringSecurityUtils.ifAllGranted('ROLE_ADMIN')) {
view = 'admin'
}
else if (SpringSecurityUtils.ifAllGranted('ROLE_USER')) {
view = 'user'
}
else {
// ???
}
render view: view, model: [...]
}
}
If you want to distribute the logic among different controllers, you could redirect based on role:
import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils
class UserController {
def home() {
if (SpringSecurityUtils.ifAllGranted('ROLE_ADMIN')) {
redirect controller: '...', action: '...'
return
}
if (SpringSecurityUtils.ifAllGranted('ROLE_USER')) {
redirect controller: '...', action: '...'
return
}
// ???
}
}
You can configure an authentication success handler too which will redirect users to specific controllers based on the roles.
class CustomAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
LinkGenerator linkGenerator
private static final ADMIN_ROLE = 'ROLE_Admin'
#Override
protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
if(SpringSecurityUtils.ifAllGranted(ADMIN_ROLE)) {
return linkGenerator.link(controller: 'admin', action: "index")
}
return super.determineTargetUrl(request, response);
}
}
See Spring Security Core : Redirect users to different screen based on role
I need to execute a function before each def in the controller is invoked (before each new request is sent to the server). In this function I will
1) do a session check if valid forward the request to the appropriate action & controller with the params
2) do a sanitization check for user submitted params
I am aware of per controller interceptor, how can I write a global common interceptor.
how and where can I invoke this function in grails?
Thanks in advance..
You can use beforeInterceptor in the Controller for exactly the same purpose. Put this into a new controller say BaseController and put in all the stuff which you want to do and then extend all your existing Controllers with BaseController and you are ready to go. For more information on beforeInterceptor Click here
Note: If you already have some common controller which is extended by all other controllers, no need to implement a new controller. Just implement the beforeInterceptor in that controller itself.
Alternatively, you can have a filter implemented and do all your stuff in that filter. For more information on filters in Grails Click Here
You can add filter in following way to intercept each action
class AbcFilters {
def filters = {
abc1(controller: '*', action: '*') {
}
abc2(controller: '*Test', action: '*') {
}
abc2(controllerExclude: 'AppStartup*', action: '*') {
}
}
}
Here is a filter for every action in every controller:
all(controller: '*', action: '*') {
before = {
}
after = {
}
afterView = {
}
}
here is a filter for session check that uses spring security:
auditEntry(controller:'*', action:'*') {
before = {
if (session.isNew()){
def userName
def principal = SCH?.context?.authentication?.principal
if (principal instanceof String){
userName = principal
log.info "Anonymous user has logged into the application."
}else{
userName = principal?.username
log.info "User $userName has logged into the application."
log.debug (principal)
}
}
}
}
I'm working on a nearly clean grails 1.3.7 project with weceem 1.0RC2, spring-security-core 1.1.3, spring-security-ui 0.1.2, weceem-spring-security 1.0 and their dependencies installed.
Everything works fine except the user login. When I want to login over http://localhost:8080/appname/login i only get the following error message:
Sorry, we were not able to find a user with that username and password.
But the user still exists in the database and i get the same error message if i use a user created by spring-security-ui. To encode passwords i'm using springSecurityService.encodePassword('password'). The LoginController was generated by spring-security (s2-quickstart).
I think there could be a problem with the weceem - spring-security bridge, what's your oppinion?
Best regards,
whitenexx
import grails.converters.JSON
import javax.servlet.http.HttpServletResponse
import org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils
import org.springframework.security.authentication.AccountExpiredException
import org.springframework.security.authentication.CredentialsExpiredException
import org.springframework.security.authentication.DisabledException
import org.springframework.security.authentication.LockedException
import org.springframework.security.core.context.SecurityContextHolder as SCH
import org.springframework.security.web.WebAttributes
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
class LoginController {
/**
* Dependency injection for the authenticationTrustResolver.
*/
def authenticationTrustResolver
/**
* Dependency injection for the springSecurityService.
*/
def springSecurityService
/**
* Default action; redirects to 'defaultTargetUrl' if logged in, /login/auth otherwise.
*/
def index = {
if (springSecurityService.isLoggedIn()) {
redirect uri: SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
}
else {
redirect action: auth, params: params
}
}
/**
* Show the login page.
*/
def auth = {
def config = SpringSecurityUtils.securityConfig
if (springSecurityService.isLoggedIn()) {
redirect uri: config.successHandler.defaultTargetUrl
return
}
String view = 'auth'
String postUrl = "${request.contextPath}${config.apf.filterProcessesUrl}"
render view: view, model: [postUrl: postUrl,
rememberMeParameter: config.rememberMe.parameter]
}
/**
* The redirect action for Ajax requests.
*/
def authAjax = {
response.setHeader 'Location', SpringSecurityUtils.securityConfig.auth.ajaxLoginFormUrl
response.sendError HttpServletResponse.SC_UNAUTHORIZED
}
/**
* Show denied page.
*/
def denied = {
if (springSecurityService.isLoggedIn() &&
authenticationTrustResolver.isRememberMe(SCH.context?.authentication)) {
// have cookie but the page is guarded with IS_AUTHENTICATED_FULLY
redirect action: full, params: params
}
}
/**
* Login page for users with a remember-me cookie but accessing a IS_AUTHENTICATED_FULLY page.
*/
def full = {
def config = SpringSecurityUtils.securityConfig
render view: 'auth', params: params,
model: [hasCookie: authenticationTrustResolver.isRememberMe(SCH.context?.authentication),
postUrl: "${request.contextPath}${config.apf.filterProcessesUrl}"]
}
/**
* Callback after a failed login. Redirects to the auth page with a warning message.
*/
def authfail = {
def username = session[UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY]
String msg = ''
def exception = session[WebAttributes.AUTHENTICATION_EXCEPTION]
if (exception) {
if (exception instanceof AccountExpiredException) {
msg = SpringSecurityUtils.securityConfig.errors.login.expired
}
else if (exception instanceof CredentialsExpiredException) {
msg = SpringSecurityUtils.securityConfig.errors.login.passwordExpired
}
else if (exception instanceof DisabledException) {
msg = SpringSecurityUtils.securityConfig.errors.login.disabled
}
else if (exception instanceof LockedException) {
msg = SpringSecurityUtils.securityConfig.errors.login.locked
}
else {
msg = SpringSecurityUtils.securityConfig.errors.login.fail
}
}
if (springSecurityService.isAjax(request)) {
render([error: msg] as JSON)
}
else {
flash.message = msg
redirect action: auth, params: params
}
}
/**
* The Ajax success redirect url.
*/
def ajaxSuccess = {
render([success: true, username: springSecurityService.authentication.name] as JSON)
}
/**
* The Ajax denied redirect url.
*/
def ajaxDenied = {
render([error: 'access denied'] as JSON)
}
}
I just resolved a problem with identical symptoms.
It turned out that the mapping closure I had in my Config.groovy had a typo, and I was mapping a field that didn't exist to the 'password' field in the weceem view of the user.
So the custom UserDetailsService injected by the plugin just hated my user objects, and nothing worked right.
I changed passwd to password on the domain side of the mapping to make it match what was actually in my User object, and all was right with the world.
Its a bit tricky to tell from the little info you have provided. The Weceem Spring Security plugin bridges Spring Security Core to Weceem's authentication mechanism.
It does this by providing a custom UserDetailsService implementation that maps from a domain class to the session data object used by Spring Security Core.
This login URL, is it mapped to your own login controller detailed above? The UserDetailsService in the weceem-spring-security plugin uses the configured user domain class to call findByUsername(username):
void afterPropertiesSet() {
def conf = grailsApplication.config
def clsname = conf.grails.plugins.springsecurity.userLookup.userDomainClassName
domainClass = grailsApplication.getDomainClass(clsname).clazz
def mapper = conf.weceem.springsecurity.details.mapper
if (!(mapper instanceof Closure)) {
throw new IllegalArgumentException(
"Your Config must specify a closure in weceem.springsecurity.details.mapper "+
"that maps the domain model to a non-domain object, providing at least: ${REQUIRED_MAPPED_FIELDS}")
}
detailsMapper = mapper
}
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
domainClass.withTransaction { status ->
def user = domainClass.findByUsername(username)
if (!user) throw new UsernameNotFoundException('User not found', username)
...
So as you can see from the above, I think that last line may be where it is ditching out for you, due to some spring domain class / username issue?
If the problem is related to logging into Weceem once installed (which it doesn't appear to be) you need to make sure you have configured how Weceem Spring Security should map from your user domain class to the internal data needed by weceem and spring sec core to function, see:
http://grails.org/plugin/weceem-spring-security