We are using thew Spring Security Plugin in our grails app.
We have useBasicAuth set to true as we use Spring Security to ensure our rest calls are called by trusted sources.
Now we have a requirement to add a user admin section to our system where the user can login with their credentials.
With useBasicAuth set to true, if the users session timesout, the popup dialog will appear and ask for the user to re-enter their credentials
For our app, we dont really want this.
Is it possible to have multiple setup's where useBasicAuth is set to true for the rest calls but we can use our own custom form for users that log in through a browser?
Or is it possible to still use BasicAuth and redirect users that log in through a browser to our custom log in form?
Thanks
Damien
If you want to have basic auth for all but admin controller, use below in your Config.groovy. It denies basicAuthenticationFilter in this controller. Standard Security should work for this page is such situation.
grails.plugins.springsecurity.filterChain.chainMap = [
'/admin/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter',
'/**': 'JOINED_FILTERS,-exceptionTranslationFilter'
]
More info in documentation: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/16%20Filters.html under Chain Map.
Related
I have searched enough but I haven't got a clear answer and thus posting this question.
I have an existing application which uses spring security for authentication.
Current implementation uses a custom implementation of UsernamePasswordAuthenticationFilter for doing this.
Thus the flow is something like below(in very simple terms):
inputrequest>DelegatingFilterProxy>LoginUrlAuthenticationEntryPoint>CustomUsernamePasswordAuthenticationFilter>AuthenticationManager>CustomAuthenticationProvider
Now I have a requirement to implement SSO (since the user is already asusmed to be authenticated) in some scenarios.
The requirement states that if I have a specific request parameter present then I need to automatically authenticate the request without bothering about user/password.
So it is same set of resources and I do not have to authenticate user/password if the specific SSO related request parameter is present.
e.g
suppose a resource \test\bus is a secure resource.
if I come from normal way then we need to check if the user is authenticated or nor and force user to put valid user/password
if I come from SSO channel then I need to show the \test\bus resource as the user is already authenticated.
currently all the access restrictions are put through <http> element
e.g the snippet of security-config.xml is as follows:
Query: What options do I have in this case. I can think of below options:
Pre-authenticate the user before spring security framework kicks in. This will mean creating an authentication token and putting in spring context before spring security filter is called. This can be done through another filter which is called before spring security filter chain. I have tested it and it works.
Create another custom security filter which set-up the authentication token. I am not clear if this is correct approach as not sure when do we create multiple custom security filter
Create another custom authentication provider e.g SSOCustomAuthenticationProvider. This provider will be called in the existing current flow as we can have multiple authentication providers to a authentication manager. The only issue is that in order to achieve this I have to change the request url to authentication filter's target url so that spring security doesn't check for authentication.
to explain more,
let's say request uri is /test/bus, I will write a filter which will intercept the request and change it to /test/startlogin. This is currently my CustomUsernamePasswordAuthenticationFilter's target url i.e
<property name="filterProcessesUrl" value="/test/startlogin"/>
The flow will be
inputrequest>DelegatingFilterProxy>LoginUrlAuthenticationEntryPoint>CustomUsernamePasswordAuthenticationFilter>AuthenticationManager>SSOCustomAuthenticationProvider
I have tested this and this works. Is this a valid approach or a hack.
Is there any other viable option available with me.
Thanks for reading this.
I have web application ( built using Grails ) in which I am using Spring Security with LDAP.
Login and logout behaviour works fine in application.
Now, I wanted to build the functionality where if admin is logged in application first time forward user to specific page instead of sending user to index/home page.
I modified LoginController ( auth method ) and tried to keep track of login by new domain class. But after login Login controller "auth method" is not called.
can anyone point me to right direction ? is there other controller I need to modify ?
The default Spring Security login form POSTs to a special URL: /j_spring_security_check (the exact URL used can be changed through the apf.filterProcessesUrl configuration parameter) This POST request is handled by the Spring Security internals. To add custom login logic, you can implement your own AuthenticationSuccessHandler as described here.
I'm trying to create a Twitter-like app with Grails and SpringSecurity plugin, and what I want to do is to allow potential users to create an account from the login page (auth.gsp in SpringSecurityCore).
On this page I have a link to my UserTwitter's controller's create method. It calls the usual create.gsp page. And the problem : when I try to create a new account, it works when I'm previously logged in with another account, but doesn't if I'm not. What should I do ?
Thanks for your help.
May be your action is secured by Spring Security Service by using annotation or URL mapping in config. If this is the case then free your action from Spring Security Service. See this link to free your action from Spring Security Service.
I'm working on a Grails application and want to integrate with a custom single-sign-on service (not CAS, but similar). I'm struggling to find all the pieces that I need to customize to make this happen. Can someone explain to me a general outline as to what I need to use to accomplish this? I've read the documentation on the plugin, but it assumes I know which beans to override and where to put all the needed files.
I've block-quoted what I think needs to be done based on my research below each point.
Order of Operations
1- The user requests secure content (everything is secure in the application for now)
I believe this setting is in the Config.groovy file:
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/**':['ROLE_ADMIN']
]
2- Spring Security checks to see if the user has a specific value set in a cookie provided by the authentication service
I'm guessing I need to create an authentication filter, but I don't know where to put it or what it should look like.
If they don't, the user is redirected to this custom SSO service, they login, once authenticated, the user is redirected back to my application (with a new cookie set)
3- Spring security checks for the cookie value and validates it against the custom service (via HTTP POST)
From some research, I think that I need to use PreAuthenticatedProcessingFilter, but I haven't been able to find any examples of how to do this.
4- The custom service returns a series of name/value pairs, a user then needs to be created in the local application database (or the timestamp of "lastLoggedIn" is updated if they user's data is already in the database)
I believe this is done in the same PreAuthenticatedProcessingFilter as number 3 or in a GrailsUserDetailsService
5- The user's authentication is cached in the session for a period of time (6-8 hours) so that re-validation against the SSO service doesn't need to occur every time the user requests a new resource.
I'm not sure if this is something that's done inherently or if I need to add code to do this (and also set the session timeout)
I'm using Spring Security 3 to protect access to a Spring-based Java Web application. The security mechanism is all configured through a standard Spring Security bean definition file, using the "security" schema. By default the user can access any URL and those that require a login are listed in the “http” element of the Spring configuration file. The system is configured so that a user who has not performed a login will be redirected to a login form before they can access such a URL.
The problem that I have is that certain URLs in the system are intended for programmatic access and return XML rather than HTML. For such URLs I need to be able to return a “user not logged in” XML instead of forcing a redirect to a login form. How can I reconfigure my “http” element (and its associated elements in the configuration file) to allow me to have one set of controlled URLs that will redirect to a login form when the user isn't logged in and another set that will return an error?
Cheers, Adam.
Maybe an authentication filter helps you. Inside the doFilter() method of Spring's AbstractAuthenticationProcessingFilter you could check whether a XML file is requested. If yes, you interrupt the chain and return an error XML file if there's no active user session. See here for more details:
http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html