I have a grails 2.0 app with the spring-security-core 1.2.6 plugin. I have different pages that have a #Secured annotation with different roles (ROLE_USER and ROLE_ADMIN). This works but when I try to access either a user or admin secure page I get redirected to the same login page. I would prefer to tailor this login page to the roles that was requested.
For example, if a unauthenticated user tries to access a ROLE_USER page, I would include a link to the user signup page, but if they tried to access a ROLE_ADMIN page, it should not.
Is there a way to access the requested roles in the login page, or alternatively a method for getting a list of roles for a given URL?
To use two different login pages you must create a custom AuthenticationEntryPoint. Here is an example already on SO: Different login controllers in Grails project with Spring security.
To send the user to a different location based on the roles that they have, create your own custom SuccessHandler and based on what role the user has send them to a different page.
Here's a link to a blog post I found.
Hope that helps.
Related
I am implementing a basic login app. here are the features:
Upon successful login, there should be a welcome page that shows the name, username and role (manager/user).
If the user has a manager role, the welcome page will have a link to access a restricted webpage.
This restricted webpage can only be accessed by a manager role and not by other user roles.
implement logout functionality.
If the userid or password is not valid, I should remain at the login page with an error message "Invalid userid or password".
All data should be stored in a database.
The application should demonstrate MVC pattern...
my schema:
enter image description here
i am using react js for the front end. i build the backend using spring security with the role-based authorization where certain url can be accessed by certain role. i already do a testing on backend end using postman where i try to access /restricted and it responded with 401 if i use ROLE-USER instead of ROLE-MANAGER by using the mvcMatchers(). now the confusing part is the frontend
i noticed i can do all the necessary validation on the front end. i dont even need to do mvcMatcher() on the backend as i can just load the userdetails and roles and ask react to validate for me! hell, i dont even need to use role-based authorisation. i just need to add extra field in user table named "role" and use that to check for item 3 and display the role on item 1. i just need 1 table, not 3. i can even ask react to redirect to /login if user is trying to access /welcome without login, or disable /unauthorised if user role is USER.
but i dont feel right about this way. i'm confused.
a. whats the best approach?
b. is role-based only applicable to rest-api services, not full stack app? from what i see front end can do ALL validation
back end repo
front end repo
a. The Best approach is to have authorization at the back-end level because your React front-end is not the only way to access the back-end. If the back-end doesn't have authorization implemented, then even if you have validation on the front-end, a malicious user can use any other HTTP client to access the back-end without authorization.
b. Role-based authorization is applicable in all scenarios in which you want to allow access to resources based on user roles, no matter which stack is used.
I'm building an app which have two user models: user and user_admin, user_admin is provided with activeadmin via devise and user was created with devise too. I created main page, some resources, and admin page, now I want to restrict access to any admin page via cancan. So to summarize:
User is on main page, then go to same other page, devise redirect him to sign_in
after sign in user can browse pages, but if he will want to go on /admin cancan should be give him 404 or give access to admin pages
only if he has admin role, then he must sign in with another
user_admin account.
So how I can describe in ability restriction to admin pages, some problems are:
I don't know where is Admin::DashboardController#index thus I can't check here role and make redirect to 404
Also Active admin is generating dynamically routes so I can't use that either.
How can I make it working?
I'm currently building a web shop (which is supposed to support multi tenancy).
So my approach is to have a url setup like
appName/shops/shop1/controller/action
appName/shops/shop2/controller/action
Depending on the shop (shop1 or shop2) I have a different assortment. Then I have a list with items and a button to add them to the shopping cart. This action is secured an only accessible for logged in users.
My Problem is the following:
Default behaviour when clicking the "secured" button is to get redirected to appName/login/auth. This way I'm losing context of the shop that the user was browsing. I'm not sure if I can provide the context/shop to the auth process in a way that I can redirect to the respective shop after a successfull log in.
Another approach would be to provide a custom button instead that redirects to the login page if the user is not logged in which provides the context/shop name.
You can use the following scheme for the urls instead:
shop1.appName/controller/action, shop2.appName/controller/action. The login urls for each of the subdomains (shop1, shop2) will be: shop1.appName/login/auth, shop2.appName/login/auth. This way the context will never be lost. In case, you want the logged in user also is able to access appname/otherController/action as well (without logging in again), you may need to do something like this: http://www.intelligrape.com/blog/2012/03/21/sharing-http-session-between-subdomains/
I have an asp.net mvc application. I have administration page to manage users. Have a scenario where admin adds new users and those uses have its own logins. Say admin creates a user 'testuser' and the testuser logs in to the application. Meanwhile admin deletes 'testuser'. The every next click of 'testuser' must redirect to login page. How can this be done? Is this managed through web.config, or whether this can be managed using the Base Controller(All controllers inherit from Base Controller).
I'd create an overload of the AuthorizeAttribute class where you'll check the database for every request wheither the user is still allowed to be logged in in the administration page.
I don't know what your requirements are with regards to the amount of users that will use the administration section, but this can become heavy on the database to have an extra database call on every authorized action.
I know that I can use annotation or Request mapping to restrict access to an ACTION by some specific ROLES. But now I have a different circumstance.
My scenario is: every user of my site can create posts, and they can make their own post public, private, or only share to some other users. I implement sharing post by a database table PERMISSION, which specify if a user have the right to view a post or not.
The problem arises here is that when a customer access a post through a direct link, how can I determine he/she have the privilege to view it? There's 3 circumstances:
The post is public, so it can be viewed by anyone (include not-login
user)
The post is private, so only the login-owner can view it
The post is sharing, it means only the login-user that is shared and the
owner can view it.
I want to process like this:
If the requested post is public: ok.
If the requested post is private/sharing: I want to redirect
the customer to the login page; after
logging in, the user will be re-direct
to the page he wants to see.
The problem here is that I can redirect the user to login controller/ auth action, but after that I don't know how to redirect it back. The link to every post is different by post_id, so I can't use SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
Could anyone know a way to do this?
Dunno about grails, but spring security has a spring-security-redirect parameter which can be used to redirect the user to the specified url on successful authentication.
I think you could add your own filter that will be executed before the action is called and do the verification of the post permissions there. You can find more information about Grails Filters here.
Have you looked at the Grails Spring Security ACL plugin? I don't know it very well, but it's designed to restrict access to particular instances:
http://grails.org/plugin/spring-security-acl
I have found a quick workaround for this problem:
If the user is logged in: check the user's privilege, and return the appropriate result.
If the user is not logged in: At view action, set the post_id by:
session.post_id = 8
Redirect the user to the Login Controller/ Auth action.
At checkrole action(which is my grails.plugins.springsecurity.successHandler.defaultTargetUrl in Config.groovy), if session.post_id exists, use it to build the link for re-directing to the view action. Before redirecting, clear the session.post_id.