My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.
Related
I would like to use the Spring security framework that OpenEdge has bundled with REST services. I have a table called os_user for users and would like to use this to validate credentials.
Does anyone know how to do this or have any experience with the Spring framework in OpenEdge?
Thanks to the article posted by Jensd (http://knowledgebase.progress.com/articles/Article/What-are-the-basic-steps-to-authenticate-REST-clients-against-the-OpenEdge-database-User-table) Following the steps there allowed me to create a custom class, which then runs as part of the spring authentication.
Implementing the appSecurity-form-oerealm option for Progress, under the OERealmUserDetails section has an XML property node with a name of "realmClass". In this property you specify the name of your custom class, which tells the spring framework to run this to validate credentials.
A ValidateUser method and ValidatePassword method must be in this class. These methods allow you to run any OE code you like to access your database and validate user credentials.
*Note that this method of authentication is for older "Classic" AppServers, and an older version of spring. Progress have now released PAS for OpenEdge which works differently.
I am using spring security core plugin in my grails application. but now I have a custom requirement.
I need to re-authenticate the user for some secret screens each time before opening these, even user is signed in already.
On re-authentication auth screen, I also want to add a secret pin code after username and password.
What will be the best way to implement this or is there any plugin available with this functionality ?
As far as I know there isn't any plugin that would address this for you. However, Glen Smith posted a few years ago how to implement your own custom authentication for specific URIs using the Grails Spring Security core plugin.
What he outlines there is very similar to what you will need to do:
Create a custom authentication object to hold the request.
Create a custom authentication provider to authenticate the request.
Create a custom security filter to apply to your URIs.
You should also note Burt's comment on the mentioned post about how to register custom authentication filters. This eliminates some of the code Glen provided.
Your implementation will be slightly more complex since you will need an additional filter to catch an authentication failure and route the user to the special login page. This is where things get quite tricky, but with the information above you should be able to get started and ask questions as you hit roadblocks.
I mean need different:
Login URL
Login out url
session time url
authentication provider
error page
css
for different entry point.
Is this possible?
From 3.1.0 (which is currently beta) it will support multiple <http> elements in the namespace.
So short answer:
In 3.1.x yes.
In 3.0.5.RELEASE no.
Longer aswer:
Here is additional info, check the links in the comments also.
I had a similar problem once, since I had multiple entry points.
A good way IMO would be to make a new login page which decides which login page to redirect to or even calls the logic of the other entry points. Then you can point spring to the new page.
I'm pretty sure this can be done inside the filter chain, but I wouldn't recommend it since you will need a lot of manual coding and bean definitions. Generally I don't think 3.0.5 was designed for multiple entry points.
With multiple <http../> elements, you can achieve most of what you want but the authentication manager is going to be common and that means authentication providers are going to be common. See the issue faced by #David Parks in the post Spring Security 3.1.0.RC1: With multiple elements why can I only register one authentication manager?.
You can see my answers to similar questions such as Configuring Spring Security 3.x to have multiple entry points and Authenticate user using external webservice in grails to develop custom code to execute entry point specific authentication providers. This can be implemented in 3.0.5 as well.
You can implement solution in 3.0.5 without multiple <http../> elements but you will be need to develop custom code to handle logout and error pages.
There is org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint
since 3.0.2.
It might help.
Being a newbie to grails, I want to learn how to authenticate users using an XML users file? For ex: A user is able to login only when the credentials(username & password) match with the one in XML file. Can anyone please help giving a simple example. I basically want to know what additonal classes are to be written or require modifications. Please guide!!!
The Spring Security Core plugin has pluggable support for the source of user authentication data. Neither the plugin nor Spring Security care where you get the data, just that you implement the required interface so the other classes can use it.
All you'd need to do is create a UserDetailsService implementation that parses the XML and creates a GrailsUser instance from there. See section "11 Custom UserDetailsService" in the documentation for an example customized class and description of how to wire things up.
why do you want to authenticate against a xml file containing user information? the easiest and quickest way would be to integration spring security by using the grails plugin http://www.grails.org/plugin/spring-security-core. the user is stored in the database and you can configure lots of things like crypto, acls, ...
I am in the process of converting a legacy application from proprietary technology to a Spring based web app, leaving the backend system as is. The login service is provided by the backend system through a function call that takes in some parameter (username, password plus some others) and provides an output that includes the authroizations for the user and other properties like firstname, lastname etc.
What do I need to do to weave this into Spring 3.0 security module. Looks like I need to provide a custom AuthenticationProvider implementation (is this where I call the backend function?). Do I also need a custom UserDetails and UserDetailsService implementation which needs loadUserByName(String userName)?
Any pointers on good documentation for this? The reference that came with the download is okay, but doesn't help too much in terms of implementing custom security.
You only need to implement a UserDetailService, only when you like to make available some User details that's don't fit in the standard Spring User details class: org.springframework.security.core.userdetails.User you need to implement one for you're selves.
A good example you find here (just replace the hibernate stuff, with what ever you use for communicating with the backend).