I am trying to implement my own AuthenticationProvider in a grails project.
I am using the grails spring security core plugin.
However, I am having problem understanding how would I get the password from my grails domain class and compare it with the password passed in the argument in order to do the authentication.
Any help would be greatly appreciated.
Thank you.
I did a talk and blog post that included an example of a custom provider here: http://burtbeckwith.com/blog/?p=1090
As I understand, you are trying to use your own "User" domain class, with username, password,... and so on. Actually, we don't need to override AuthenticationProvider to do that. You can simply override UserDetailsService instead. All the things SpringSecurity needs is that you provide it with a UserDetails, it will do the password comparison for you, by the hash algorithm you specified in configuration.
For more details, you can refer here.
If it's not like I understand, please add some more code (what you achieve currently). A bit of code may help clear things out a lot.
Related
am trying to implement the code using spring security with database there I found this topic but seriously i didn't understand this concept.why they add post method within this 'j_spring_security_check'
so please anyone explain me with example.
It's a preconfigured URL in spring security to authenticate via form input.
It can be configured in your spring security configuration to point to another URL if needed.
If a form submits to this URL it needs to have the relevant parameters for the AuthenticationManager to use, such as j_username and j_password
These were changed in later versions to use username and password.
The best example of this using Spring MVC is in the Spring Docs.
My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.
I want to make method level security for my spring application.
The security design is as follows: User > Roles > Permissions
Well when i use #PreAuthorize with hasRole it works fine.
But when i try to use it with hasPermission, it doesn't work.
I found that i should use Spring ACL for such approach, but it seems to be over-killing for the requirement.
So is there's any way to define role permissions in xml file, or any other workarounds or other ways to get method level security works with permissions instead of roles, and withour using ACL.
If there's no way but to use ACL, then please suggest me a good example
Please read the article on the following site:
http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
The main thing is you will need to implement the UserDetails interface. It says
"the UserDetails interface simply exposes the permissions (not the roles) via the getAuthorities() method"
Being a newbie to grails, I want to learn how to authenticate users using an XML users file? For ex: A user is able to login only when the credentials(username & password) match with the one in XML file. Can anyone please help giving a simple example. I basically want to know what additonal classes are to be written or require modifications. Please guide!!!
The Spring Security Core plugin has pluggable support for the source of user authentication data. Neither the plugin nor Spring Security care where you get the data, just that you implement the required interface so the other classes can use it.
All you'd need to do is create a UserDetailsService implementation that parses the XML and creates a GrailsUser instance from there. See section "11 Custom UserDetailsService" in the documentation for an example customized class and description of how to wire things up.
why do you want to authenticate against a xml file containing user information? the easiest and quickest way would be to integration spring security by using the grails plugin http://www.grails.org/plugin/spring-security-core. the user is stored in the database and you can configure lots of things like crypto, acls, ...
I am in the process of converting a legacy application from proprietary technology to a Spring based web app, leaving the backend system as is. The login service is provided by the backend system through a function call that takes in some parameter (username, password plus some others) and provides an output that includes the authroizations for the user and other properties like firstname, lastname etc.
What do I need to do to weave this into Spring 3.0 security module. Looks like I need to provide a custom AuthenticationProvider implementation (is this where I call the backend function?). Do I also need a custom UserDetails and UserDetailsService implementation which needs loadUserByName(String userName)?
Any pointers on good documentation for this? The reference that came with the download is okay, but doesn't help too much in terms of implementing custom security.
You only need to implement a UserDetailService, only when you like to make available some User details that's don't fit in the standard Spring User details class: org.springframework.security.core.userdetails.User you need to implement one for you're selves.
A good example you find here (just replace the hibernate stuff, with what ever you use for communicating with the backend).