I'm trying to create a Twitter-like app with Grails and SpringSecurity plugin, and what I want to do is to allow potential users to create an account from the login page (auth.gsp in SpringSecurityCore).
On this page I have a link to my UserTwitter's controller's create method. It calls the usual create.gsp page. And the problem : when I try to create a new account, it works when I'm previously logged in with another account, but doesn't if I'm not. What should I do ?
Thanks for your help.
May be your action is secured by Spring Security Service by using annotation or URL mapping in config. If this is the case then free your action from Spring Security Service. See this link to free your action from Spring Security Service.
Related
I'm new to SSO, so hopefully what I'm asking makes sense. So my current setup is a .NET MVC website using OWIN/cookies (app.UseCookieAuthentication()) and a custom user table (not ASP.NET Identity users).
So I'm wondering if I could add IdentityServer3 only for external providers, but leave all my existing user/authentication stuff as is for "local users". So I see that you can implement a custom IUserService to lookup users against your local database, and I think I got that working, but I'd like to even avoid that. And I'd like to avoid themeing the IdentityServer login screen. So something like this:
User hits up page with [Authorize] attribute.
User is redirected to my existing login page (not IdentityServer stuff)
Then my login page would have the external provider button(s) to login with external providers.
Is that possible? Or do you have to run your local users through IdentityServer3 also? I noticed I get an error if you don't provide a IUserService and don't use UseInMemoryUsers() either.
So from following various guides, I have this in my Startup.cs: app.UseIdentityServer(), app.UseCookieAuthentication(), and app.UseOpenIdConnectAuthentication() with Authority set to my IdentityServer endpoint.
Hopefully that made sense, Thanks!
Gonna answer my own question if it helps anyone else. The important piece here is AuthenticationMode in OpenIdConnectAuthenticationOptions. AuthenticationMode.Active is what will redirect the user to your OIDC provider anytime they hit an action with [Authorize].AuthenticationMode.Passive will allow you to use your OIDC provider as an additional authentication method. You want to follow the examples with ExternalLogin() and ExternalLoginCallback() controller actions that issue challenges to the provider and then match the authenticate user with your local user.
I am using ApacheDS 2.0.0.v20130628,I use Spring security ldap to authenticate users.
For a new user,once user registers an account with the web application an email will be sent to make the account active so that his email will also be verified.Until User clicks on the link sent to his email,User should not be able to Login to the application.So how can I disable the user account till then?
I came across with an attribute on web nsAccountLock,But I am unable to find this attribute in ApacheDS.
I want to know is there anything in ldap-user-service like "active" which is used in a SQL query for JDBC User service in spring security?
Any suggestions as how to go about on this?
nsAccountLock is used to lock accounts in Oracle Directory Server. But not in apache Directory server. even i'm facing the same issue for finding attribute for disabling user in Apache DS. its looks like they havent created any attribute for it.
I have used 'pager' as a option to know if the user is enabled or disabled.
Use the 'pwdAccountLockedTime' operationsl attribute, that's the standard way in Apache DS.
For more details refer
I have web application ( built using Grails ) in which I am using Spring Security with LDAP.
Login and logout behaviour works fine in application.
Now, I wanted to build the functionality where if admin is logged in application first time forward user to specific page instead of sending user to index/home page.
I modified LoginController ( auth method ) and tried to keep track of login by new domain class. But after login Login controller "auth method" is not called.
can anyone point me to right direction ? is there other controller I need to modify ?
The default Spring Security login form POSTs to a special URL: /j_spring_security_check (the exact URL used can be changed through the apf.filterProcessesUrl configuration parameter) This POST request is handled by the Spring Security internals. To add custom login logic, you can implement your own AuthenticationSuccessHandler as described here.
We are using thew Spring Security Plugin in our grails app.
We have useBasicAuth set to true as we use Spring Security to ensure our rest calls are called by trusted sources.
Now we have a requirement to add a user admin section to our system where the user can login with their credentials.
With useBasicAuth set to true, if the users session timesout, the popup dialog will appear and ask for the user to re-enter their credentials
For our app, we dont really want this.
Is it possible to have multiple setup's where useBasicAuth is set to true for the rest calls but we can use our own custom form for users that log in through a browser?
Or is it possible to still use BasicAuth and redirect users that log in through a browser to our custom log in form?
Thanks
Damien
If you want to have basic auth for all but admin controller, use below in your Config.groovy. It denies basicAuthenticationFilter in this controller. Standard Security should work for this page is such situation.
grails.plugins.springsecurity.filterChain.chainMap = [
'/admin/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter',
'/**': 'JOINED_FILTERS,-exceptionTranslationFilter'
]
More info in documentation: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/16%20Filters.html under Chain Map.
I have a grails 2.0 app with the spring-security-core 1.2.6 plugin. I have different pages that have a #Secured annotation with different roles (ROLE_USER and ROLE_ADMIN). This works but when I try to access either a user or admin secure page I get redirected to the same login page. I would prefer to tailor this login page to the roles that was requested.
For example, if a unauthenticated user tries to access a ROLE_USER page, I would include a link to the user signup page, but if they tried to access a ROLE_ADMIN page, it should not.
Is there a way to access the requested roles in the login page, or alternatively a method for getting a list of roles for a given URL?
To use two different login pages you must create a custom AuthenticationEntryPoint. Here is an example already on SO: Different login controllers in Grails project with Spring security.
To send the user to a different location based on the roles that they have, create your own custom SuccessHandler and based on what role the user has send them to a different page.
Here's a link to a blog post I found.
Hope that helps.