I am using GGTS and Grails 2.2.0 and have implemented spring security along with Basic Auth with the following options
Config.groovy
grails.plugins.springsecurity.useBasicAuth = true
grails.plugins.springsecurity.digest.realmName = 'someval'
LogoutController {
def index = {
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl
}
When I click on logout – it does not log the user out, it takes me back to the home page. I have looked at the forums, but have not found anything that works.
I want to make sure that whatever solution is implemented, logs off the use completely and the user is not able to return back to the original page without logging back in.
Any pointers/suggestions are appreciated.
The problem is HTTP Basic Authentication. It doesn't specify a way to log out. I believe there are some "unofficial" methods that work (see How to log out user from web site using BASIC authentication?), but Spring Security doesn't appear to use them.
The best solution is to avoid Basic Auth altogether. If that's not an option, you'll have to write a custom LogoutController that e.g. sends back a 401 error code.
Related
Am a newbie to Grails. I am using Grails 3.3.2 and am trying to implement security plugin in my app. How do I redirect to a certain page after a successful login.
In your Grails controller you will have the if check of successful login, inside that condition you can write the redirect statement as below,
redirect(controller: 'YOUR_CONTROLLER_NAME', action:'YOUR_GSP_PAGE_NAME')
If you want to redirect page with specific path then use following syntax,
redirect(uri: "PATH_TO_YOUR_PAGE")
See more examples here Grails redirect examples
I have web application ( built using Grails ) in which I am using Spring Security with LDAP.
Login and logout behaviour works fine in application.
Now, I wanted to build the functionality where if admin is logged in application first time forward user to specific page instead of sending user to index/home page.
I modified LoginController ( auth method ) and tried to keep track of login by new domain class. But after login Login controller "auth method" is not called.
can anyone point me to right direction ? is there other controller I need to modify ?
The default Spring Security login form POSTs to a special URL: /j_spring_security_check (the exact URL used can be changed through the apf.filterProcessesUrl configuration parameter) This POST request is handled by the Spring Security internals. To add custom login logic, you can implement your own AuthenticationSuccessHandler as described here.
I have an issue with the Session Timeout. In my grails application an user logs in after a session timeout, but then gets to the last edited page. I want to prevent that and send them to a specific URL. How can I achieve this, I cant find something in the spring security documentation.
Greetings.
Per the docs, it looks like you might be able to use a combination of:
successHandler.defaultTargetUrl="/whatever/url/you/want"
successHandler.alwaysUseDefault=true
By default spring security will forward the original request after successful login. You can prevent that by adding the following to Config.groovy:
grails.plugins.springsecurity.successHandler.alwaysUseDefault = true
grails.plugins.springsecurity.successHandler.alwaysUseDefaultTargetUrl = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/my/default/url'
The two properties sound like they should do the same, but in my case it only works when I have them both. Perhaps you can remove one of them and get it to work...
This will alter the behavior any time you log in, not just after a timeout. If you need a more dynamic solution, I guess you have to dig into the spring security source code...
I'm using Grails and Spring Security. Some methods of the controller are annotated with #Secured and when the logged in user doesn't have the necessary roles I want him to be redirected to the last visited page instead of to /login/denied.
I guess that the real question is how to get the last page visited so that I can redirect him accordingly from the denied method?
There is a way to do this in JavaScript, using back button, but I am looking for a way to achieve this on the server side.
maybe you could use an interceptor to store the history of you views and then with an accessDeniedHandler redirect to the previous one
What is the best way to make authentication?
on frontend I use Angular.js
on backend: Ruby on Rails
Rails app using as API for my frontend.
UPDATE:
This is will be single page application.
Frontend wiil be developed in Angular.js, backend in Ruby on Rails.
In ideal I want to build backend as collection of resources returned in json.
I search best method of security implementation.
When user open the app I need to check if user authenticated.
If not - go to login page,
If authenticated - open that he wants and return needed resource from backend.
I think that I need to store auth token on the client side.
What is the best method to generate it, or maybe Rails already generate it for me?
I don't know Angular.JS at all but I will try to provide you general information on rails that you can use with any Javascript Framework.
For authentication, you just needs:
A model for users
a controller which handle login, this method check user login/password, create a session object with all information needed (session is stored on server side and a cookie is used on client-side to associate each request to a session)
A controller for handling logout which basically only destroy the user's session
You have a good implementation in the rails tutorial here, or you can find several plugins (authlogic seems to be the recommendation of stackoverflow usershere).
Then, there is few differences between handling authentication with static html pages or with AJAX:
A HTML request will send login and password to the controller, which will automatically redirect it to another internal page once the session create
In AJAX, the javascript on client side should send an ajax request, look for the answer by the server (success / failure) and launch adapted actions (message if failure, redirection if success)
In both cases, the important thing is to check that the user is authenticated at at each controller otherwise anybody would be allowed to launch action or access internal information.
I'm trying to do something similar and I found this example app which has been very useful to get me going in the right direction: https://github.com/karlfreeman/angular-devise
Also checkout further discussion about it here: https://github.com/karlfreeman/angular-devise/issues/1
And here's another repo which takes a slightly different approach: https://github.com/colindensem/demo-rails-angularjs
I ended up borrowing ideas from all of the above. Here's a working demo if anyone's interested: https://github.com/jesalg/RADD