I have installed Spring Security using s2-quickstart and the Spring Security CAS plugin. I have the CAS plugin set up correctly (I believe) but when I try to visit the localhost:8080/caslogin/j_spring_security_check page to force a CAS login I am redirected to the default Spring Security log in page rather than the CAS login page that our company has set up. Does anyone know what might be causing this behavior? Here is my current CAS setup in Config.groovy:
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://cas-server/cas'
grails.plugins.springsecurity.cas.key = 'grails-spring-security-cas'
grails.plugins.springsecurity.cas.filterProcessUrl = '/j_spring_security_check'
grails.plugins.springsecurity.cas.serverName = 'http://localhost:8080'
grails.plugins.springsecurity.cas.serviceUrl = 'http://localhost:8080/caslogin/j_spring_security_check'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://localhost:8080/caslogin/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
grails.plugins.springsecurity.cas.active = true
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider']
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.mycompany.caslogin.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.mycompany.caslogin.UserRole'
grails.plugins.springsecurity.authority.className = 'com.mycompany.caslogin.Role'
We have successfully used CAS in a Grails application, check my Config.groovy below:
In my case, when I try to go to localhost:8080/MyApp/j_spring_cas_security_check I get an access denied 404.
grails.serverURL = "http://192.168.10.12:8080/MyApp"
plugins {
springsecurity {
active = true
rejectIfNoRule = false
password.algorithm = 'SHA-256'
securityConfigType = grails.plugins.springsecurity.SecurityConfigType.Requestmap //url permission
apf.filterProcessesUrl = '/j_spring_security_check'
auth {
forceHttps = false
loginFormUrl = '/access/login'
ajaxLoginFormUrl = '/access/login?remote=true'
}
adh {
errorPage = '/access/denied'
ajaxErrorPage = '/acesso/denied?remote=true'
}
ajaxHeader = 'X-Requested-With'
failureHandler {
ajaxAuthFailUrl = '/access/fail?remote=true'
defaultFailureUrl = '/access/fail?login_error=1' //TODO
}
successHandler {
defaultTargetUrl = '/'
alwaysUseDefault = false
}
// Configuracao do CAS
providerNames = ['casAuthenticationProvider']
cas {
serverUrlPrefix = 'https://mycompany.com.br:8443/cas'
loginUri = '/login'
proxyReceptorUrl = '/secure/receptor'
serviceUrl = "${grails.serverURL}/j_spring_cas_security_check"
proxyCallbackUrl = "${grails.serverURL}/secure/receptor"
}
logout.afterLogoutUrl = 'https://mycompany.com.br:8443/cas/logout?service=${grails.serverURL}/'
// Customizacao de Entidades
userLookup.userDomainClassName = 'br.com.mycompany.app.access.User'
userLookup.authoritiesPropertyName = 'permissions'
authority.className = 'br.com.mycompany.app.access.Permission'
requestMap.className = 'br.com.mycompany.app.access.UrlAccess'
requestMap.configAttributeField = 'ruleExpression'
}
}
Related
I've set up a jitsi-meet instance for test purposes and I use the ldap-related modules for user authentication configured in /etc/prosody/conf.d/ldap.cfn.lua. Here is my working ldap.cfn.lua (I removed usernames and passwords and replaced them with *):
-- Authentication configuration --
authentication = 'ldap2'
ldap = {
hostname = 'my.ldap.server.org',
--use_tls = true,
bind_dn = 'CN=ldap,OU=user,OU=my,DC=company,DC=org',
bind_password = '***',
user = {
basedn = 'ou=workers,ou=location1,dc=my,dc=company,dc=org',
filter = 'sAMAccountName=*',
usernamefield = 'sAMAccountName',
namefield = 'cn',
},
}
I have several locations within my AD (evolved historically) and I need to query them too. How can I specify more than one basedn parameter? Here is what I tried so far without positive results (mere guesses).
user = {
basedn = 'ou=workers,ou=location1,dc=my,dc=company,dc=org',
'ou=workers,ou=location2,dc=my,dc=company,dc=org',
filter = ...
...
},
user = {
basedn = '(ou=workers,ou=location1,dc=my,dc=company,dc=org,ou=workers,ou=location2,dc=my,dc=company,dc=org)',
filter = ...
...
},
Thanks!
Luckily I've figered out another solution in the meantime:
In my case it's not neccessary to query multiple OU within the AD. It's sufficient to query the very root of my AD and filter for every Domain User.
This site gave valuable hints: https://ldapwiki.com/wiki/Domain%20Users
Here is my working config:
authentication = 'ldap2'
ldap = {
hostname = 'my.ldap.server.org',
--use_tls = true,
bind_dn = 'CN=ldap,OU=user,OU=my,DC=company,DC=org',
bind_password = '***',
user = {
basedn = 'dc=my,dc=company,dc=org',
filter = '(primaryGroupID=513)',
usernamefield = 'sAMAccountName',
namefield = 'cn',
},
}
We are using grails 2.3.5 app with mongodb (no hibernate installed). I had forked & modified grails database session plugin with HQL queries to use simple queries so as to support mongodb.
Then when I'm trying to login via ajax, it fails. By fail, I mean that, session in created & persisted to the database but not able to login. When I enabled to logs, I saw cookies is present in the request path /j_spring_security_check after authentication but is not available after redirect i.e. in path /login/ajaxSuccess which causing authentication to be treated as false & a new session is created.
Our URL mapping config looks like this: (Does not matters)
"/$controller/$action?/$id?(.$format)?" {
constraints {
}
}
"/v2/$customController/action/$customAction" {
controller = {
return params.customController?.toUpperCamelCase()
}
action = {
return params.customAction?.toUpperCamelCase()
}
}
"/v2/$resource/$resourceId?/$subResource?/$subResourceId?" {
controller = {
if (params.subResource) {
return params.subResource.toUpperCamelCase()
}
return params.resource.toUpperCamelCase()
}
action = {
Map actionMethodMap = [GET: params.resourceId ? "show" : "index", POST: "save", PUT: "update", DELETE: "delete"]
return actionMethodMap[request.method.toUpperCase()]
}
id = {
if (params.subResource && params.subResourceId) {
return params.subResourceId
}
return params.resourceId
}
}
Our configuration looks like this for spring security:
grails.plugins.springsecurity.authority.className = 'com.test.Role'
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.test.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.test.UserRole'
grails.plugins.springsecurity.useSessionFixationPrevention = true
//grails.plugins.springsecurity.redirectStrategy.contextRelative = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = "/app/ng/index.html"
grails.plugins.springsecurity.auth.loginFormUrl = "/app/ng/index.html#/auth/signin"
grails.plugins.springsecurity.auth.ajaxLoginFormUrl = "/v2/login/action/auth-ajax"
grails.plugins.springsecurity.ui.encodePassword = false
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
'/j_spring_security_switch_user': ['ROLE_ADMIN'],
'/ck/standard/filemanager': ['ROLE_ADMIN'],
'/ck/standard/uploader': ['ROLE_ADMIN'],
'/ck/ofm/filemanager': ['ROLE_ADMIN'],
'/ck/ofm/filetree': ['ROLE_ADMIN'],
'/quartz/**': ["ROLE_ADMIN"],
'/**' : ['IS_AUTHENTICATED_ANONYMOUSLY']
]
Other than this, grails.serverURL config is commented for all environments to support wildcard subdomain.
Using:
Spring Security Core plugin version 1.2.7.3
Cookie plugin version 0.51
Webxml plugin version 1.4.1
Mongodb plugin version 2.0.1
I am trying to connect with Google using the grails oauth plugin. Following is my code
Config.groovy
oauth {
providers {
google {
api = org.scribe.builder.api.GoogleApi
key = 'XXX.apps.googleusercontent.com'
secret = 'XXXXXXX'
scope = 'https://www.googleapis.com/auth/userinfo.profile'
callback = "${grails.serverURL}/oauth/google/callback"
successUri = "${grails.serverURL}/oauthCallBack/google"
}
}
}
grails.google.api.url = "https://accounts.google.com/o/oauth2/auth"
OauthCallBackController.groovy
class OauthCallBackController {
def oauthService
def google() {
Token googleAccessToken = (Token) session[oauthService.findSessionKeyForAccessToken('google')]
def googleResource = oauthService.getGoogleResource(googleAccessToken, grailsApplication.config.grails.google.api.url)
def googleResponse = JSON.parse(googleResource?.getBody())
log.info "googleAccessToken = ${googleAccessToken}"
log.info "googleResponse = ${googleResponse}"
log.info "accesstoken = ${googleAccessToken.token}"
def googleResourceDetailed = oauthService.getGoogleResource(googleAccessToken, "https://www.googleapis.com/oauth2/v1/userinfo?access_token=${googleAccessToken.token}")
def googleResponseDetailed = JSON.parse(googleResourceDetailed?.getBody())
log.info "googleResourceDetailed = ${googleResourceDetailed}"
log.info "googleResponseDetailed = ${googleResponseDetailed}"
render params
}
}
When I trying to connect, google ask me to allow the application to access my credentials. After allowing my call back action executed(oauthCallBack/google) but I am not getting the data of my account.
Following is my output in my logs
INFO example.OauthCallBackController - googleAccessToken = Token[1/xxx , yyy]
INFO example.OauthCallBackController - googleResponse = [:]
INFO example.OauthCallBackController - accesstoken = 1/xxx
INFO example.OauthCallBackController - googleResourceDetailed = org.scribe.model.Response#2a088ca
INFO example.OauthCallBackController - googleResponseDetailed = [error:[message:Invalid Credentials, errors:[[message:Invalid Credentials, location:Authorization, reason:authError, locationType:header, domain:global]], code:401]]
I have no idea where I am wrong and why I am getting the error as response.
How can I get data from google?
Finally..,.
After lots of google search I finally figure out my problem and successfully got data from google.
The problem is in my grails.google.api.url entry in my config file.
Correct value is
grails.google.api.url = "https://www.googleapis.com/oauth2/v1/userinfo"
Now my code is
Config.groovy
oauth {
providers {
google {
api = org.scribe.builder.api.GoogleApi
key = 'XXX.apps.googleusercontent.com'
secret = 'XXXXXXX'
scope = 'https://www.googleapis.com/auth/userinfo.profile'
callback = "${grails.serverURL}/oauth/google/callback"
successUri = "${grails.serverURL}/oauthCallBack/google"
}
}
}
grails.google.api.url = "https://www.googleapis.com/oauth2/v1/userinfo"
OauthCallBackController.groovy
def google() {
Token googleAccessToken = (Token) session[oauthService.findSessionKeyForAccessToken('google')]
def googleResource = oauthService.getGoogleResource(googleAccessToken, grailsApplication.config.grails.google.api.url)
def googleResponse = JSON.parse(googleResource?.getBody())
log.info "googleAccessToken = ${googleAccessToken}"
log.info "googleResponse = ${googleResponse}"
log.info "accesstoken = ${googleAccessToken.token}"
log.info "id = ${googleResponse.id}"
log.info "name = ${googleResponse.name}"
render params
}
And my log out put is
INFO example.OauthCallBackController - googleAccessToken = Token[1/xxx , yyy]
INFO example.OauthCallBackController - googleResponse = [id:xxxxx, locale:en, link:yyyyy, name:MKB, gender:male, family_name:B, given_name:M]
INFO example.OauthCallBackController - accesstoken = 1/xxx
INFO example.OauthCallBackController - id = xxxxx
INFO example.OauthCallBackController - name = MKB
Grails Oauth Plugin Demo
How to get Connected With Linked In Grails ??
Config.groovy
oauth {
linkedin {
requestTokenUrl="https://api.linkedin.com/uas/oauth/requestToken"
accessTokenUrl="https://api.linkedin.com/uas/oauth/accessToken"
authUrl="https://api.linkedin.com/uas/oauth/authorize"
consumer.key="xxx"
consumer.secret="xxx"
}
}
plugin:
compile ":oauth:2.1.0"
And GSP :
<oauth:connect provider="linkedin">Connect</oauth:connect>
But I trying to run this code.. on browser its showing this error
org.codehaus.groovy.grails.web.taglib.exceptions.GrailsTagException
Tag [oauthLink] does not exist. No tag library found for namespace: g
Use oauth taglib to create button to connect with linkedin rather than g tag
<oauth:connect provider="linkedin">Connect</oauth:connect>
EDIT...................................................................................
Following is my Config.groovy
oauth {
providers {
linkedin {
api = org.scribe.builder.api.LinkedInApi
key = 'xxx'
secret = 'yyy'
callback = "http://localhost:8080/test2/oauth/linkedin/callback"
successUri = "http://localhost:8080/test2/oauthCallBack/linkedin"
failureUri = "http://localhost:8080/test2/oauthCallBack/linkedinFailure"
requestTokenUrl = "https://api.linkedin.com/uas/oauth/requestToken"
accessTokenUrl = "https://api.linkedin.com/uas/oauth/accessToken"
authUrl = "https://api.linkedin.com/uas/oauth/authorize"
}
}
}
grails.linkedin.api.url = "http://api.linkedin.com/v1/people/~:(id,first-name,last-name,email-address,date-of-birth)?format=json"
and I have a OauthCallBackController with an action linkedin
def linkedin() {
Token linkedinAccessToken = (Token) session[oauthService.findSessionKeyForAccessToken('linkedin')]
def linkedInResponse = oauthService.getLinkedInResource(linkedinAccessToken, grailsApplication.config.grails.linkedin.api.url)
def linkedinParsedResponse = JSON.parse(linkedInResponse?.getBody())
User user = User.findByLinkedInId(linkedinParsedResponse['id'])
if (user) {
springSecurityService.reauthenticate(user.username)
} else {
...
}
}
def linkedinFailure() {
render "I am back..,."
}
I'm using the PersistentTokenBasedRememberMeServices (Spring Security 2.04) in Grails App in conjunction with the OpenIDAuthenticationProcessingFilter. The configuration is as follows (This is Grails's DSL equivalent to Spring resource.xml but it should be quite easy to adapt):
customTokenRepository(JdbcTokenRepositoryImpl)
{
dataSource = ref('dataSource')
}
rememberMeServices(PersistentTokenBasedRememberMeServices) {
userDetailsService = ref('userDetailsService')
key = securityConf.rememberMeKey
cookieName = securityConf.cookieName
alwaysRemember = securityConf.alwaysRemember
tokenValiditySeconds = securityConf.tokenValiditySeconds
parameter = securityConf.parameter
tokenRepository = customTokenRepository
}
openIDAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.openid.GrailsOpenIdAuthenticationProvider) {
userDetailsService = ref('userDetailsService')
}
openIDStore(org.openid4java.consumer.InMemoryConsumerAssociationStore)
openIDNonceVerifier(org.openid4java.consumer.InMemoryNonceVerifier, securityConf.openIdNonceMaxSeconds) // 300 seconds
openIDConsumerManager(org.openid4java.consumer.ConsumerManager) {
nonceVerifier = openIDNonceVerifier
}
openIDConsumer(org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer, openIDConsumerManager)
openIDAuthenticationProcessingFilter(org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter) {
authenticationManager = ref('authenticationManager')
authenticationFailureUrl = securityConf.authenticationFailureUrl //'/login/authfail?login_error=1' // /spring_security_login?login_error
defaultTargetUrl = securityConf.defaultTargetUrl // '/'
filterProcessesUrl = '/j_spring_openid_security_check' // not configurable
rememberMeServices = ref('rememberMeServices')
consumer = openIDConsumer
targetUrlResolver = customTargetUrlResolver
}
After a user has authenticated everything is fine until the cookie issued to him is used for the first time for example after a container restart (see here).
The very first request using the cookie seems to be always fine but after the cookie has been updated with a new date and most importantly a new token, subsequent requests will crash in here. As if the browser would still request resources using the old version of the cookie containing the old token. I'm totally baffled why this happens. Any suggestions?