Grails Spring Security SecUser - grails

can i create two different types of secuser's such as secuser and enduser ,SecRole and EndRole
where my secuser and secrole will be given for admins of my hospital and doctors and enduser,endrole will be given to endusers of my hospital project
I have secuser and secrole tables with me but when i created enduser and endrole with s2-quickstart command am able to get the domain classes and i didn't overide my login and logout controllers now am not able to create a enduser object endrole object in my boot strap
class BootStrap {
def springSecurityService
def init = { servletContext ->
/*
def userRole = EndRole.findByAuthority('ROLE_USER') ?: new EndRole(authority: 'ROLE_USER').save(failOnError: true)
def endadminUser = EndUser.findByUsername('endadmin') ?: new EndUser(
username: 'endadmin',
password:'endadmin',enabled: true).save(failOnError: true)
if (!endadminUser.authorities.contains(userRole)) {
EndUserEndRole.create endadminUser, userRole
}
*/
def x= new EndRole(authority: 'ROLE_USER')
println(" new fresh "+x.authority)
}
def destroy = {
}
}

You can have as many types of user as you want, but to support that you will need a custom UserDetailsService. This is a common thing to do, so there's a section in the docs for it; see section "11 Custom UserDetailsService" in http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
I'm not sure why you think you need more than one role class though. Just create an instance of SecRole with a different role name for admins and doctors, e.g. new SecRole(authority: 'ROLE_DOCTOR').save(), new SecRole(authority: 'ROLE_ADMIN').save().
You probably don't need different user classes at all (at least not for security - you may need to support different attributes for non-security reasons). Just create SecUser instances and grant them whatever roles (with EndUserEndRole.create) they need, i.e. ROLE_DOCTOR or ROLE_ADMIN.
Do yourself a favor and read the plugin documentation, but also the Spring Security documentation at http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html - this stuff is way too important to implement if you're not comfortable with how to secure a web site.

Related

Wicket Security - Change Roles of an Inmemory User

I'm using Wicket 7.0 in an application I'm developing and I would like some advice regarding using Inmemory-users during development.
The idea is to have one single Inmemory user whom I set the roles of right before I log in.
My first intended approach is to instantiate the user at startup with "username" and password but without any roles. Then I would like to add/remove roles through ticking Checkboxes in a component in the Login-form and finally log in with the predefined user/pwd.
Can an instance of an Inmemory-user have it's roles changed when the application is running? Or should I delete it and create a new instance of it everytime I want it to have different roles? Is this even the best and simplest way to go about ti?
This is only during development for convenience.
Thanks in advance
Inject UserDetailsManager and use its updateUser() method to update its roles:
#Service
public class SingleUserSwitchService {
#Autowired
private UserDetailsManager userDetailsManager;
public void changeUserRoles(String ... roles) {
Collection<GrantedAuthority> roles = ... // new roles
User user = new User("login", "password", roles);
userDetailsManager.updateUser(user);
}
}
Here, I assume that your user login is 'login' and you hardcode the password.
Then you just need to call your service with the list of the desired roles.

grails and spring security acl: show only some instances of a domain class

I'm using Spring Security ACL in my Grails project to manage access into my application. I can create Admin and User to have different permissions into the application.
Now, I want that a particular user can see only some instances of a domain class object. That is:
following the example domain class object
class Patient
{
String name;
String surname;
...
}
Suppose that there are 3 created Patient objects.
I want that, if I login with
username = test1
password=test1
I can see only Patient that belongs to this User.
I think that is needed that, when I create a new Patient, it is stored that this Patient belongs to the User currently logged.
How can I do that?
EDIT:
Another problem is that, if I change the URL in the part of id to show, I can see all the Patient that are created. I want that, if I change URL manually, I see an access error. Is it possible?
EDIT 2:
How can I get the role of the user currently logged in? I've tried with the following code How to get current user role with spring security plugin? but I cannot perform the getAuthorities() because it tells me that it does not exists
I've solved EDIT2 in the following discussion grails exception: Tag [paginate] is missing required attribute [total]
I need to solve the EDIT1
thanks
If I understand you right you need to define belongsTo. This will create mapping in database from Patient to User.
Edit: to get current logged in user use
class SomeController {
def authenticateService
def list = {
def user = authenticateService.principal()
def username = user?.getUsername()
.....
.....
}
}
To map to user change logic in controller or use events to create mapping
Edit: edit create action:
class PatientController {
def authenticateService
...
def create() {
def patientInstance = new Patient(params)
patientInstance.user = authenticateService.principal()
...
[patientInstance: patientInstance]
}
...
}

How to implement grails bean

In my grails application, there are ten domain classes, in every domain class there is one comment field which is common. It compromises of current authenticated user with current time-stamp.
How can I implement the above said comments using beans
Create a comment Domain class
class comment
{
String message;
static belongsTo=[User] //add or can leave it , for all your ten domains
}
Then you need to associate it with let say to Ten of your domain class ,ex.User
class User {
String UserName
static hasMany=[comments:Comment] // if you have many commentin one pass or
Comment comment ///just one to one relationship for every login one record
}
And the Bean ,
You can create a commentService for just operating on the comment and your domain class,grails create a DI bean automatically after you create a commentService on services
and you could have some sample service method which will be injected
def registerInfo (){
//do some comment and domin related stuff
}
like in a controller login
def commentService
def signin(){
commentService.registerInfo(params)
}

Grails with Shiro - How to assign specifice permission to perticular user even he has role based permission

i installed shiro plugin in my application.i assigned one complete controller for role:'role_developer'..so if any user comes under role_developer he can access all actions of that controller..but here i want remove two actions of that controller..so please suggest me ..
here my code is:
def shiroRole = new ShiroRole()
shiroRole.name='ROLE_DEVELOPER'// create role as role developer
shiroROle.addToPermission('Person') //assigned permissions Person controller with all actionss
shiro.save()
now iam going create one user of ROLE_DEVELOPER and assigning permission some actions like person controller:create,list only
def shiroUser = new ShiroUser()
shiroUser.username='username'
shiroUser.passwordHash= new Sha256Hash("password").toHex()
shiroUser.addToRoles(ShiroRole.findByName('ROLE_DEVELOPER')
newUser.addToPermissions('person:list,create')
newUser.save()
...so here shiroUser shoud not be access all actions assigned to role_dveloper
Don't know how to do this using pure shiro API, but it can be done using grails filters
Something like this
import org.apache.shiro.SecurityUtils
import org.apache.shiro.subject.Subject
class ProjectFilters {
def filters = {
all(controller: 'Person', action: '*') {
before = {
Subject subject = SecurityUtils.getSubject()
//boolean hasRole = subject.hasRole('ROLE_DEVELOPER')
//boolean hasPermission = subject.isPermitted('Person')
if (/*your logic here*/) {
redirect(uri: '/access-denied')
return false
}
}
}
}
}
you don't need filters. :-)
I never used
shiroRole.addToPermission('Person')
but from your question I guess that's equal to
shiroRole.addToPermission('Person:*')
giving the owner of the role access to all actions of the Person controller.
It seems that you now would like to remove some of the permissions for one of the users by assigning permissions to this special user. But that's not the way it works. AFAIK, there is no way to remove permissions, and that's ok because it is more secure...
Shiro works in the following way:
Permissions like a:b give a user access to controller a and action b. A role is a collection of permissions. Permissions are additive.
So if you create a role
def shiroRole = new ShiroRole()
shiroRole.name='ROLE_USER'// create role as role developer
shiroRole.addToPermission('Person:list,show') //assigned permissions Person controller with all actionss
shiroRole.save()
and a user
def shiroUser = new ShiroUser()
shiroUser.username='username'
shiroUser.passwordHash= new Sha256Hash("password").toHex()
shiroUser.addToRoles(ShiroRole.findByName('ROLE_USER')
shiroUser.addToPermissions('person:create,save')
shiroUser.save()
this user will have access to Person:list and Person:show from the assigned role and Person:create and Person:save from his direct permissions.
As you can see, most of the time it is enough to work with roles and avoid using direct permissions.
I hope this helps...

Spring Security (Acegi) and user Groups (vs. Roles)

We're developing an app (using Grails Spring Security (formerly Acegi)) in which we'll have thousands of users that span 10-15 discreet user types. In the current system, each user type equates to a "group", and the specific roles and permissions are tied to the group. The user gets all their "roles" from the group.
For example, we might have two user groups:
CLOWN: roles = ride_clown_car, toot_horn, receive_applause
ACROBAT: roles = do_flip, walk_tightrope, receive_applause
We have three users, one assigned to the CLOWN group, one assigned to the ACROBAT group, and one assigned to both (has union of CLOWN and ACROBAT roles).
If we change permissions, we do so at the group level. For example, if we add a swing_on_trapeze permission to the ACROBAT group, all acrobats will automatically inherit it.
In Grails terms, the permissions on the controllers would still be at the role level. So an action with #Secured (['toot_horn']) would allow users in the CLOWN group but not in the ACROBAT group. #Secured (['receive_applause']) would allow both CLOWNS and ACROBATS.
How would I do this in Spring Security given the two-tiered nature of the model (user, role)? Do I need to implement my own custom authentication to collect roles based via groups?
Thanks!
You should be using the new Spring Security Core plugin since the Acegi plugin isn't being developed and is basically deprecated.
But either way, both plugins just expect that there's something like a getAuthorities() method in your user class that returns role instances. In a scenario like this where the user has many groups, just collect all of the groups' roles:
class User {
...
def getAllRoles() {
Set allRoles = []
groups.each { allRoles.addAll it.roles }
allRoles
}
}
This assumes that you have a many-to-many between User and Group:
static hasMany = [groups: Group]
and Group has a many-to-many with Role:
static hasMany = [roles: Role]
To use this set the 'relationalAuthorities' property to 'allRoles' in SecurityConfig.groovy so it uses that instead of the many-to-many between user and role:
relationalAuthorities='allRoles'
There's no configuration required for the Spring Security core plugin since it depends on an application-defined getAuthorities method already, so just use something like this in your User class:
Set<Role> getAuthorities() {
Set allRoles = []
groups.each { allRoles.addAll it.roles }
allRoles
}

Resources