I have just started using grails and installed the spring-security and spring-security-ui plugins. I am following the tutorial given here. The application starts with one bootstrapped user me with ROLE_ADMIN permission.
With the UI override scripts I was able to get the register functionality up and running and it works all right. Now, I have installed the User Management scripts (grails s2ui-override user) to try adding, editing, removing users.
A new user gets created fine, I have checked this against the HSQLDB instance. However, if I now log-out from the application and try to login with the newly created user the application tells me that it is unable to find a user with the provided username and password.
I haven't modified the default logout handling so am using /j_spring_security_logout which as the documentation says invalidates the session.
Is this a know issue? If so how can I get around this or if not how can I debug this issue?
EDIT:
This issue is also persisting without the UI addition. Register as a new user. Once you finish e-mail verification you are auto-logged in to the site. Now logout and try to login in back again. It gives the same error.
FINAL EDIT:
The UI plugin comes with the RegisterController that still encodes the password. However, the newer domain classes that come with the core are also doing this and the recommended practice is that controllers shouldn't. I commented out a line that does the encoding and the login/logout works now at least for the basic scenario.
There is a warning on that tutorial
Earlier versions of the plugin didn't include password encryption logic in the domain class, but it makes the code a lot cleaner.
I am guessing security-ui plugin does not know about that change, and comparing unencrypted password with the encrypted one on the database.
l managed to fix my problem. The problem was double encryption. Under the spring security ui in the user controller on line 41 the password was being encrypted and then again by the domain class so on login it was comparing a double encrypted password and a single encrypted password. To solve the problem l just commented out line 41 in the user controller which was encrypting the password
EDIT: If you have trouble figuring out where one would go to edit the controller, you can find the source code of the downloaded plugins in your user home's
/.grails/version/projects/projectname/plugins
directory for editing (at least on Mac / Linux, dunno where you'd find it in windows).
Related
I am trying to have SCM Manager accept users from my organization so they can log in using their Windows username and password. I have installed the LDAP plugin, but it still doesn't recognize my own windows username and password from my organization
I don't really understand - I think I shouldn't even need LDAP and some kind of basic authentication should be able to figure out my username password on windows active directory etc type of thing...
Do I need the SSL to do this? It says various things about a binding problem.
I am using the custom LDAP profile. I put wsproxy in the proxy server area and enabled. I have no idea what that means but it was the same configuration that I saw in a previous installation of SCM-server that worked with organizational credentials on windows server.
This problem occurred after upgrading from version 1.6 to 2.9.
Though I was not the person who set it up on v1.6.
UPDATE: what's needed is not LDAP plugin, but rather understanding how to configure active directory for SCM - previously, in 1.X versions active directory plugin worked under the hood - now it needs to be configured and I have no idea how -- also the active directory plugin for 1.X is no longer available - if you could provide me with that code I might be able to see how it connects to AD and then go from there on version 2.X - any chance you can get me access to the code of https://bitbucket.org/sdorra/scm-manager/wiki/active-directory-plugin??
We have an issue for the LDAP plugin saying that the migration of the ldap password may fail (though I cannot reproduce this), so maybe this happened with your migration, too. Proxy settings should not play any part in this game, because as far as I know company ldaps aren't behind a proxy.
The configuration for 2.x should be the same as for 1.60. We haven't changed anything here. So first I would try to reenter the "Connection Password". If this still fails, please use the "Test connection" feature. Enter a valid authentication here. This tells you, on what level the connection fails and may show you an exception with further information.
Feel free to post your results here for further investigation.
Preamble
I'm designing an API gateway for a Grails microservice federation. This issue seems related to a bunch of issues already filed in this repository but nothing provides a solution.
Versions and Configurations
Grails: 3.2.2
Tomcat: 8.5
Plugin versions:
compile 'org.grails.plugins:spring-security-core:3.1.2'
compile "org.grails.plugins:spring-security-rest:2.0.0.M2"
I'm using spring security rest plugin for only token authentication. I'm doing the authorization part myself by returning ROLE_NO_ROLES for all the users in getAuthorities(). I intercept all the requests and authorize the access based on my own authorization schema stored in DB.
Problem:
With these configurations and strategy, my code works as desired when I run it on my local system. When I deploy it on a server as a war file in tomcat, it works fine for all the requests to the gateway, i.e., for all requests of the pattern /umm/controller/action. Spring security context is there and the user is evaluated perfectly.
When I try to call other microservices by redirection with requests of the form /umm/microservice/controller/action, springSecurityService.getCurrentUser() and springSecurityService?.principal?.username start to return null. Although my token gets evaluated perfectly, yet I'm not getting any security context.
For details, have a look on this issue. The details for reproducing the bug are also provided in the aforementioned issue.
The whole project is available here.
Update: May 19, 2017
I tried deploying my war in a Tomcat on my local machine. This question and this question provide following solutions.
disabling tomcat cache
setting
grails.plugin.springsecurity.sch.strategyName = org.springframework.security.core.context.SecurityContextHolder.MODE_INHERITABLETHREADLOCAL
Nothing seems to work so far. SecurityContextHolder is returning null anyway. All the user retrieving functions of SpringSecurityService viz. getCurrentUser(), getPrincipal(), getAuthentication() and loadCurrentUser() return null.
Update: May 23, 2017
To narrow down the problem, I executed the standalone war using
java -Dgrails.env=prod -jar build/libs/mywar-0.1.war
Now for any non-umm request, I get a 404, page not found. I think the problem is with the production environment. The app works completely fine in the development.
Also tried grails run-app which works fine. To rule out the problem with the production environment, I created the war using grails dev war but to no avail. Nothing works so far for the war.
Update: May 25, 2017
I should probably ask this http://security.stackexchange.com but for the record, I'm asking it here too.
The answer provided by me below contains a workaround fix. The mechanism by which the fix works is explained in the answer. My question is:
Does this approach introduce any vulnerability or loophole in the security system?
Is this authorization schema safe or needs to be revised?
I'm authenticating through the plugin but authorizing myself. Can somebody bypass the security filters and hit the authorization interceptor directly? Because if someone can do that, he will only have to give me an admin's username in the same format as the token does and he'll have access to everything.
Workaround
I got a workaround fix to the problem. Since I needed only the username, I grabbed the rest token in my interceptor, decoded it and extracted the username out of it.
Here goes:
def extractUsername(def token){
Base64 coder = new Base64()
def tok = token - "Bearer "
def principal = tok.tokenize(".")
def dec = coder.decode(principal[1])
def sub = new String(dec)
def user = sub.tokenize(",")
def username=user[1].tokenize(":")
username = username[1]-"\""
return username-"\""
}
It worked for me because I didn't need to check the springSecurityService.Principal object. Had it been the case, I wouldn't have been able to get the username. springSecurityService.Principal and springSecurityService.getCurrentUser() are still returning null. The issue is not resolved yet. I'm answering because I didn't get even a single comment despite having a bounty. Answer to the original question is still welcome if anybody can explain why spring-security-plugin is behaving this way.
Edit: May 25, 2017
The workaround I used is based on the structure of the token and the fact that username is embedded in the token and token is simply base64 encoded.
This is the original token generated by spring security REST plugin for grails:
eyJhbGciOiJIUzI1NiJ9.eyJwcmluY2lwYWwiOiJINHNJQUFBQUFBQUFBSlZTUDBcL2JRQlJcL0RrRkJpbWdCcVpVNjBLVjBxeHlKanBsSVNwRXFLNmthc2xDcDZHSVwvM0lQem5iazdrMlNwTXBXQkFVU0xWSld2d0RlQmhROVF0VU5YNXE1OVp3aE91eUJ1c2ZYdTU5K1wvNTdNcm1EWWFYc2FhY1dIOFZHUXhsNzVKTlpleHdURFQzQTc5ektDTzBPYUl0UnpZcFFsY0g2OEVYZ0FsSGxsWUNMYlpIcXNKSnVOYXU3ZU5vYTBQTkN3ckhkOHdibW1XWUZcL3BIZitXTzFRYVwveEVvcUwzdkphaHN3RHdMUTVWSjIxSnlkWkJ5amRFR3pCV3pRSVU3YnZRb3BCdVVsak5oSnFFVmxLd25NQXFneWpMN1VaRXFSMlBoNGJYWnpISlI2NkN0QnpDVE1tUEkzWDlKT3RaWmRcL2ZPcHFRRXVcL0FKeW9QVW8wUGRQWGRRM1wvSDRUU1VFcGVaS21xV3VURlRFdDdnVEpcLzdSNHZIbDRlbW9Xd0tnVGw3Y1wvVTB4ZjlLQTBmbUhQMFwvem9yM1F3dU1KNndXc1Brakp6WHpCdks3UktmXC80OXZiTHlkWCsreWxTZG9qWDk5XC9IMHNwTmM4T21TbEttbVZVVE95TGFmdG05RTNuamJ2THhGb1oraHllcFFQcWpwTVhvVnFJZ3ByaGxyY1M0Ynd1ejc5ckI2bWFydmVtZUhUZXBzQ2poOGxXRHBCXC9reWQzS1wvRURSd2c1K0gxMGNQdnRKTkc5Z2VvK0pES240dVFMVXlwSWU2czluSjR2VnI3OE84aGpqWFwvb3Z4RG9UU3hZREFBQT0iLCJzdWIiOiJhZG1pbkRCIiwicm9sZXMiOlsiUk9MRV9OT19ST0xFUyJdLCJleHAiOjE0OTU3MTU3OTMsImlhdCI6MTQ5NTcxMjE5M30.MPEXURGhJo5s75LfUSm5ckG99Byc7FCLyj1gYZJu1zk
This is decoded version:
"principal":"H4sIAAAAAAAAAJVSP0/bQBR/DkFBimgBqZU60KV0qxyJjplISpEqK6kaslCp6GI/3IPznbk7k2SpMpWBAUSLVJWvwDeBhQ9QtUNX5q59ZwhOuyBusfXu59+/57MrmDYaXsaacWH8VGQxl75JNZexwTDT3A79zKCO0OaItRzYpQlcH68EXgAlHllYCLbZHqsJJuNau7eNoa0PNCwrHd8wbmmWYF/pHf+WO1Qa/xEoqL3vJahswDwLQ5VJ21JydZByjdEGzBWzQIU7bvQopBuUljNhJqEVlKwnMAqgyjL7UZEqR2Ph4bXZzHJR66CtBzCTMmPI3X9JOtZZd/fOpqQEu/AJyoPUo0PdPXdQ3/H4TSUEpeZKmqWuTFTEt7gTJ/7R4vHl4emoWwKgTl7c/U0xf9KA0fmHP0/zor3QwuMJ6wWsPkjJzXzBvK7RKf/49vbLydX++ylSdojX99/H0spNc8OmSlKmmVUTOyLaftm9E3njbvLxFoZ+hyepQPqjpMXoVqIgprhlrcS4bwuz79rB6marvemeHTepsCjh8lWDpB/kyd3K/EDRwg5+H10cPvtJNG9geo+JDKn4uQLUypIe6s9nJ4vVr78O8hjjX/ovxDoTSxYDAAA=","sub":"adminDB","roles":["ROLE_NO_ROLES"],"exp":1495715793,"iat":1495712193
The principal here is signed and encrypted but the username is not encrypted. So it can be easily extracted by the code given above.
I have installed the below plugins
compile 'org.grails.plugins:spring-security-core:3.1.1'
compile "org.grails.plugins:spring-security-oauth2:1.1.0"
compile "org.grails.plugins:spring-security-oauth2-google:1.1.0"
Spring security core is working properly.
But I am having issues in implementing the oauth-google authentication.
The plugin documentation says we need to pass the api_key and api_secret. I have created a project in console.developers.google.com and have created the API Key and Oauth Keys, I am confused on which values to use in the application.yml.
Because as per console.developers.google.com the API key and Oauth Key are separate credentials.
Any suggestion on from where to get and how to set the below values would be helpful.
api_key: 'AIzaSyBjfn345tg6j0ol1e89kHMOY'
api_secret: 'xseettDDNtjjuutrfuAFTe4d'
successUri: "/oauth2/google/success"
failureUri: "/oauth2/google/failure"
callback: "/oauth2/google/callback"
scopes: "some_scope"
api_key and api_secret
I took those keys from console.cloud.google.com/
API Manager > Credentials > Create / Edit the entry
then Client ID and Client Secret are the needed values. Other parameters are paths within the Grails app itself, I believe you can change those if you want to override the default behaviour of the plugin.
But there's more ...
Remember about whitelisting your callback address (done on the very same panel). For local connection I set it (on Google API Manager) as
http://localhost:8080/oauth2/google/callback
Remember that apart of calling grails s2-quickstart com.yourapp User Role you need to call also grails init-oauth2 ... (described here - https://github.com/MatrixCrawler/grails-spring-security-oauth2).
Next thing I had to was to override the default login page to be able to display the link mentioned here https://github.com/MatrixCrawler/grails-spring-security-oauth2-google <oauth2:connect provider="google" id="google-connect-link">Google</oauth2:connect>. The default ones are here https://github.com/grails-plugins/grails-spring-security-core/tree/master/grails-app/views/login you just have to copy them to grails-app/views/login/ and modify them.
Next problem was that script from point 2 didn't add static hasMany = [oAuthIDs: OAuthID] field to User domain, which caused the ask view submit to crash.
After that, the Google Oauth2 authentication worked for me.
I am developing test application for displaying claims of authenticated identity in MVC-ASP.net (Visual studio 2013)
I have given authentication from active directory in following way.
1.Add new mvc project in solution .
2.click on Change authentication.
3.select organization account
4.select on premises.
5.given federation url
6.App Id url
After running the application i am getting following error.
WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'http://websso.avanade.com/adfs/services/trust'
This error is coming only for this federation for other federation i am able to see claims.
After searching on internet i am thinking that it is certificate(thumbprint) issue.
But I am not clear with solutions.
Can anybody explain me why this error throwing and solution for the same.
Thanks in Advance !!!
There could be 2 causes for this error.
Missing thumbprint in web.config: Get the actual thumbprint from ADFS and put in web.config under the thumbprint tag
Mismatch in port number between the site and ADFS configuration: Update ADFS configuration with the url containing the correct port number
The second solution fixed it for me...
I ran into this while trying to update a legacy MVC application to use AAD.
I based the changes on a newly created project with organizational authentication and noticed I did not have a connection string named DefaultConnection, which the DatabaseIssuerNameRegistry assumes you will, nor did I have either of the required tables in the database.
Using Vittorio Bertocci's great post with all the details, I refactored the code to integrate the new database tables, created and applied a migration, and inserted the appropriate key and tenant in the new IssuingAuthorityKey and Tenant tables, respectively. I also had to make sure to change the DatabaseIssueNameRegistry to use the existing DbContext.
For solutions created in VS2013 and later, the solution should contain the logic to roll over keys automatically. No need to put the value in the web.config file.
You might run into this issue when migrating your solution from local to another environment. In that case you will probably try to point your solution to a new application in Azure Active Directory. Check the following:
Make sure all urls in the web.config are pointing to the correct url not the one automatically generated when you set it up locally
Remove all enteries from IssuingAuthorityKeys table. The keys will autopopulate when you re-build the solution and run it. On the server you might need to replace the dlls manually for it to refresh
Last and most important, delete all rows from the Tenants table. On the first run on the new environment, an Admin from the owning Active Directory has to sign up and authorize the application.
If the values in both tables are still not populated automatically after these steps, check this article for steps on how to manually get the values.
Thumbprints and server names are case sensitive in web.config. make sure they are typed correctly and restart IIS.
It fixed my issue.
So I have an application that works perfectly on my desktop, and also works perfectly when deployed to tomcat on a windows machine. However, when I attempt to use this application while deployed on the same version of tomcat, but on AIX, it fails to retrieve data out of LDAP.
A user is able to successfully authenticate, but the context is null. DirContextOperations is passed into my ContextMapper as null. Does anyone know what ports that need to be open to get this data or what other configuration may need to be done? Based on what I am seeing it has to be a server configuration issue somewhere.
If you are using Spring Security LDAP plugin then it will be easy to co-relate the below mentioned configuration in AIX with the app. I prepared few snapshots for the configuration so that I do not clutter the answer space here. Have a look at LDAP config in AIX and try to setup the same in AIX Server.
Now coming to the LDAP plugin, there is nothing much other than setting up a bunch of properties is required. Values for these properties will be available once the LDAP configuration is done in AIX (as mentioned in the above mentioned slide).
Note:-
After creating a standalone LDAP, you might need to add realm if the user is associated to a group. I have not mentioned the same in the slides since I do not have an active LDAP host available now.
UPDATE
Instead of using BindAuthenticator can you try switching to PasswordComparisonAuthenticator for authentication.
Using the below setting in Config forces to use PasswordComparisonAuthenticator to authenticate and return back the DirContextOperations. Can this setting be tried?
grails.plugins.springsecurity.ldap.authenticator.useBind = false
#Refer LdapAuthentication Implementations.
I am not sure if this will be the answer in your case. I was also getting null in DirContextOperations object when trying to obtain values from Active Directory.
I was trying to get ldap attributes like this as the Grails LDAP plugin Documentation states:
String mail = ctx.originalAttrs.attrs['mail'].values[0]
and all those were null. So I have changed the line above for this one instead and it works for me:
String mail = ctx.attributes.getAt('mail').values[0].toString()