Applying Spring Security to a plugin - grails

I'm developing a plugin to provide some specific functionality. The plugin "has it all": the complete vertical slice (services, controllers, domain-classes, GSPs). On the plugin level no security is used.
Now I want to integrate the plugin into the main app, and apply some security rules like #Secured(['ROLE_SUPER']).
The way I'm doing it now is not too elegant:
#Secured(['ROLE_SUPER'])
class SomeController extends SomePluginController {}
This mass of such zero-value code grows along with the number of controllers.
What can be improved here?
TIA
UPDATE:
the grails.plugin.springsecurity.controllerAnnotations.staticRules map doesn't work.
I have a plugin AggregationPlugin with TaskController and index-action inside.
I tried to put it so:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/task/**': ['ROLE_SUPER'],
'/aggregation/**': ['ROLE_SUPER'],
'/plugins/aggregation-0.1/**': ['ROLE_SUPER'],
]
but I still can access the page anonymously.
I'm using Grails 1.3.7 and spring-security-core 1.2.7.2
UPDATE #2:
So, after some attempts I found the most elegant solution. Instead of staticRules which doesn't work for some reason in my setup and which can become really big, if you have many plugins to apply security to, I added a dependency to the plugin:
compile( 'org.springframework.security:spring-security-core:3.0.7.RELEASE' )
so that I can use the #Secured in my controllers now without the whole security plugin. Upon installation into the main app they will be picked automatically by the security plugin.

You can put the configuration for the plugin controllers in Config.groovy:
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
'/somePlugin/': ['ROLE_SUPER']
]
Check out the official docs, scroll down to section controllerAnnotations.staticRules.

Related

Dynamic Controller Plugin for grails

I'am new to grails, I wanted to make use of Dynamic Controller Plugin (http://grails.org/plugin/dynamic-controller) in my project.
I am using grails version 3.2.11
I've added the dependency as directed on the page. It downloads the dependency in the form of zip, I can see it in External libraries. But when I am trying to import two classes (as directed on http://burtbeckwith.com/blog/?p=1041 Linking to existing Controller Actions
approach)
import com.burtbeckwith.grails.plugins.dynamiccontroller.ControllerClosureSource
import com.burtbeckwith.grails.plugins.dynamiccontroller.DynamicControllerManager
it gives " unable to resolve class" error. Please suggest what am I doing wrong here. Thanks!
You're trying to install a Grails 2 plugin in a Grails 3+ app, but that's not possible since they're not compatible. Grails 2 plugins must be upgraded and reworked to be used in Grails 3, and there's no plan to do so for this plugin.
I would say take a look at the URL Mappings & Embedded variables in the grails documentation.
https://docs.grails.org/3.2.11/guide/single.html#embeddedVariables
For example:
static mappings = {
"/blog/$topic"(controller: "blog")
}
which gives you a feeling like you are dynamically declaring actions.
And the topic variable is accessible through GrailsParameterMap params object # controller.
With this you can construct url like:
www.mysite.com/blog/football
www.mysite.com/blog/tvshow
www.mysite.com/blog/etc
Edit: you can also take a look at Dynamic Controller and Action Names [https://docs.grails.org/3.2.11/guide/single.html#_dynamic_controller_and_action_names]

FilterRegistrationBeans not executing with introduction of springSecurityFilterChain

If I set up SS HttpSecurity using Java Config. Spring Boot creates a springSecurityFilterChain, which is logged during setup logs. However, the FilterRegistrationBeans now with standard URL patterns are not invoked.
2 Part Question:
Is this standard behavior? Where... once Spring Security is installed, all of my Servlet FilterBeanRegistrations are suddenly broken?? I would have thought Spring Boot would auto-figure out how to "add" them onto the appropriate springSecurityFilterChain automatically. Anyway, that is not what I am seeing.
I see the http.addFilter(myFilter) API methods. But, I don't want to pollute my SecurityConfig to know about all these filters I have. How do I add my custom Servlet filters into the springSecurityFilterChain bean from the 'outside' so to speak? You know.. 'auto-configure' them myself, onto the springSecurityFilterChain. :)
As you can see below, the WebSecurityConfigurerAdapter adds a lot of stuff to the security filter chain by default.
Although I still don't know which one of the settings caused the FilterBeanRegistrations to break, setting disableDefaults to true and configuring the security filter chain myself did the trick.
if(!disableDefaults) {
http
.csrf().and()
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement().and()
.securityContext().and()
.requestCache().and()
.anonymous().and()
.servletApi().and()
.apply(new DefaultLoginPageConfigurer<HttpSecurity>()).and()
.logout();
}

How can use Flyway with grails

I know there is a Flyway2 plugin. However im not satisfied since it seems fitted for working by console commands. What i want is to integrate Flyway in a programatic way so:
1st Integration tests use flyway to handle db schema with H2 database
2nd Flyway get's triggered on tomcat deployment and handles also the environment database (maybe through running it from bootstrap?)
Does anyone has experienced with this?
EDIT after some discussion:
In order to use the plugin i would need to get a fully configured instance of GFlyway from spring context. This becomes difficult since the bean only property is def config from where it will read all the required properties. The question is how to replicate this behavior within the resources.groovy ... how to provide the application config as a parameter to the bean.
As we have been discussing in the comments, the correct way to configure this as a bean would be:
// Resources.groovy
beans {
grailsApplication = ref('grailsApplication')
gFlyaway(gflyway2.GFlyway) {
config = grailsApplication.config
}
}
Configure the settings as usual within your Config.groovy per the documentation of the plugin.
That should get you closer, if not all the way there.

Grails with Spring Security Plugin and Salted Passwords

I am trying to do salted password hashing in my Grails + Spring Security application. I have used the tutorials on the Grails site, and also ones I found randomly on the Internet.
At the moment, I have everything set up according to this tutorial. However I run into a problem when deploying the application with the following bean declaration in resources.groovy:
saltSource(cq.MySaltSource) {
userPropertyToUse = CH.config.grails.plugins.springsecurity.dao.reflectionSaltSourceProperty
}
It complains that it cannot find CH.
After digging around, I found a post on nabble stating the following:
Also - don't use ConfigurationHolder (CH) since it's deprecated in 2.0. You can pass in a reference to the grailsApplication bean and get the config from there:
saltSource(MySaltSource) {
grailsApplication = ref('grailsApplication')
}
and then in your class add
def grailsApplication
and get the property via
String userPropertyToUse grailsApplication.config.grails.plugins.springsecurity.dao.reflectionSaltSourceProperty
The part that I do not follow is the last statement about "...and get the property via...". The line of code he gives there seems malformed to me.
If anyone can shed some light here, or provide a different approach to using salted passwords with Grails and Spring Security, I would appreciate it. Note that it needs to be unique salts per user, not system-wide or a single salt, or a salt derived from username.
Thanks
UPDATE
So I got it working with the first tutorial (forgot the import statement at the top of resources.groovy. But I would still like to use the second way (to stay compatible with the future version).
UPDATE 2
I have written a complete tutorial on this if anyone browsing here is interested:
Setting up a Grails web application using Spring Security and salted passwords.
In resources.groovy where you're defining the saltSource bean the GrailsApplication is available as the application variable, so you can change the bean declaration to
saltSource(cq.MySaltSource) {
userPropertyToUse = application.config.grails.plugins.springsecurity.dao.reflectionSaltSourceProperty
}

grails - subdomain based projects and links

I am trying to develop a grails application that has "root" content (www.mydomain.com/about for example) but will also support "projects" based upon the subdomain of the request; for example myproject.mydomain.com > www.mydomain.com/myproject. As a first pass, i have the URL configuration below:
"/$controller/$action?/$id?" {
...
}
"/$project/$controller/$action?/$id?" {
constraints {
}
}
The main drawback so far is that the $project variable must be injected manually into every link (tedious and not DRY):
<g:link controller="foo" action="bar" params="${[project: params.project]}">link</g:link>
Is there a way to automatically inject the $project parameter into all links if it is present, or is there a better way to approach this problem?
Basically you can create a grails plugin that will inject into the controller a new project param with a value based on a custom TagLib <g:project bean="myproject"/> (for instance)
It will force you to define this tagLib on each gsp page of your project but it is still DRYer than each link.
Hope it helps,
Fabien.
I can think of a couple of things.
a) You can place a proxy (Apache or something else) in front of your app-server and do some url-rewriting. Bonus: This would also allow you to do some caching of static resources.
b) This solution is a little more technically interesting. You can look up the project based on the http host header (the subdomain part). This will save you from rewriting all urls, all Grails conventions will still apply so you shouldn't run into any problems with third party plugins and so on.

Resources