I am trying to add the spring security management console which is shown in the spring security ui documentation.
It does not however tell you how to access it.
any ideas?
A good entry point is the user controller (grails.plugins.springsecurity.ui.UserController). If you are using the default URL mappings you will be able to access it at http://localhost:8080/<appname>/user in development mode.
Related
Spring session seems like a very interesting project but I have not been able to find much information on how to properly incorporate it in a spring security application. The readme on project github page has some information but I dont think thats applicable to spring security. Another example thats mentioned on the same page is to utilize this mechanism for REST access. Thats another use case that i think can benefit from an example. I would appreciate if some information on the subject can be shared. Thanks.
You can use Spring Session with Spring Security by simply ensuring to place the Spring Session Filter before Spring Security's filter. There is also an security sample project that demonstrates the use of Spring Session with Spring Security within the distribution. You can run it by cloning the repository and running the following:
./gradlew :samples:security:tomcatRun
The application will be available at http://localhost:8080/
I have an old grails application (ex. one-app) that has springSecurity for logins. I created a new grails app (two-app) that uses multiple databases (the DB from one-app and a new one). I am deploying both using tomcat
ip.addr.10.10/one-app
ip.addr.10.10/two-app
My question is: I want to have access to both applications by logging in only once. Basically if the user logs in on either application, he would also have access to the other application without logging in again.
Is this possible? Thanks.
Yes, it is possible. You need to use SSO. Currently I use JOSSO for my grails applications (http://www.josso.org) combined with Spring Security.
You can configure RememberMe with exactly same configuration for both apps. After user login into any of application, Spring Security will setup special cookie, that can be reused from other app (mean athorized in another app as well).
See docs for Remember Me - http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/9%20Authentication.html#9.3%20Remember-Me%20Cookie
A 3rd option would be to use the same OpenID provider for both applications.
One other approach would be drop Cookies which can be read by both the applications.
i'm fighting with a strange problem using the spring security core plugin. after a successful login clicking on any secured link causes a automatic logout of the current user. it's very hard to determine the reason because this behaviour happens only in some cases. the application is secured by using request maps. there is no exception and the request maps are correctly configured.
grails 1.3.7, spring security core plugin 1.2.1
the problem was the misconfiguration of the server url. in some places www were used and in some configrations not. so make sure your are using the same server url for the app, e.g. in tomcat config, isa server config, app config, ...
I need to have certain URLs (actions) in my app where I receive Credit Card information be SSL/https. I'm using the new set of Grails security plugins, i.e. Spring Security Core, and Spring Security UI. These apparently replace the ACEGI security plugin, which I understand had some SSL configuration capabilities at the controller level.
Can you tell me what the current recommendation is for switching to https for certain controllers/actions? Do I need to resolve everything in Tomcat?
Thanks
See section "17 Channel Security" in the Spring Security Core plugin docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
is there a way to configure spring security to have a default user (with roles and such)? i want to use it for testing purposes in an embedded jetty environment.
i provided an InMemoryUserDetailsService but i am missing the part where i tell spring security to use which user.
thanks for your help
fabian
Do you mean an anonymous user?
If so, try this: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/anonymous.html
("Spring Security's anonymous authentication just gives you a more
convenient way to configure your access-control attributes")