How to achieve authentication using an XML users file in grails? - grails

Being a newbie to grails, I want to learn how to authenticate users using an XML users file? For ex: A user is able to login only when the credentials(username & password) match with the one in XML file. Can anyone please help giving a simple example. I basically want to know what additonal classes are to be written or require modifications. Please guide!!!

The Spring Security Core plugin has pluggable support for the source of user authentication data. Neither the plugin nor Spring Security care where you get the data, just that you implement the required interface so the other classes can use it.
All you'd need to do is create a UserDetailsService implementation that parses the XML and creates a GrailsUser instance from there. See section "11 Custom UserDetailsService" in the documentation for an example customized class and description of how to wire things up.

why do you want to authenticate against a xml file containing user information? the easiest and quickest way would be to integration spring security by using the grails plugin http://www.grails.org/plugin/spring-security-core. the user is stored in the database and you can configure lots of things like crypto, acls, ...

Related

OpenEdge AppServer Spring Security

I would like to use the Spring security framework that OpenEdge has bundled with REST services. I have a table called os_user for users and would like to use this to validate credentials.
Does anyone know how to do this or have any experience with the Spring framework in OpenEdge?
Thanks to the article posted by Jensd (http://knowledgebase.progress.com/articles/Article/What-are-the-basic-steps-to-authenticate-REST-clients-against-the-OpenEdge-database-User-table) Following the steps there allowed me to create a custom class, which then runs as part of the spring authentication.
Implementing the appSecurity-form-oerealm option for Progress, under the OERealmUserDetails section has an XML property node with a name of "realmClass". In this property you specify the name of your custom class, which tells the spring framework to run this to validate credentials.
A ValidateUser method and ValidatePassword method must be in this class. These methods allow you to run any OE code you like to access your database and validate user credentials.
*Note that this method of authentication is for older "Classic" AppServers, and an older version of spring. Progress have now released PAS for OpenEdge which works differently.

Create Custom STS service

I'am looking at the capabilities of WIF in terms of SSO. Actually we have a "legacy" users & rights management database under SQLServer and we like to build a brand new SSO system on top of this exsting database.
In many tutorials I found they talk about using existing STS like ADFSv2 for Active Directory authorization, but It did not fit my needs because my users/rights are not exposed through AD but in a custom a specific business oriented SQL Server database.
So, I thing I need a custom Security Token Service in order to be able to emit my own custom tokens, but I don't know how to do this.
I need some little help or an example about how to achieve this.
Thank you
You can find STS example in WIF SDK. It contain an example with custom token. Look here
More detail information about SSO I seen in a book 'Programming Windows Identity Foundation'
You can build your own Custom Security Token Service leveraging the underneath SQL Server database. You will have to define your scopes and Claims that needs to be shared after user does a Single Sign On. Here are some links to some articles below that has helped me build mine. I am pretty sure by following the below links you will be able to build a custom STS catering to your needs.
WIF : http://chris.59north.com/post/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Care to explain why #paullem's answer was deleted?
It is in fact the correct answer!
The question is about an STS that authenticates using a SQL DB. That is EXACTLY what IdentityServer does.
Since it's open source, you can customize it any way you want or else use it as a guide.
So to repeat the answer - "Take a look at Thinktecture.IdentityServer........".
Update
You want a custom STS that supports SAML protocol and authenticates against a SQL DB?
WIF won't do this for you.
You need to look at something like Shibboleth or simpleSAMLphp but they are not .NET based.
Or take IdentityServer and add a SAML stack to it.
Refer: SAML : SAML connectivity / toolkit.
Be warned: This is not a trivial exercise!

Custom user authentication for specific screens in grails

I am using spring security core plugin in my grails application. but now I have a custom requirement.
I need to re-authenticate the user for some secret screens each time before opening these, even user is signed in already.
On re-authentication auth screen, I also want to add a secret pin code after username and password.
What will be the best way to implement this or is there any plugin available with this functionality ?
As far as I know there isn't any plugin that would address this for you. However, Glen Smith posted a few years ago how to implement your own custom authentication for specific URIs using the Grails Spring Security core plugin.
What he outlines there is very similar to what you will need to do:
Create a custom authentication object to hold the request.
Create a custom authentication provider to authenticate the request.
Create a custom security filter to apply to your URIs.
You should also note Burt's comment on the mentioned post about how to register custom authentication filters. This eliminates some of the code Glen provided.
Your implementation will be slightly more complex since you will need an additional filter to catch an authentication failure and route the user to the special login page. This is where things get quite tricky, but with the information above you should be able to get started and ask questions as you hit roadblocks.

Grails Spring Security plugin Access Control/Authorization without Authentication?

My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.

Spring 3 - Custom Security

I am in the process of converting a legacy application from proprietary technology to a Spring based web app, leaving the backend system as is. The login service is provided by the backend system through a function call that takes in some parameter (username, password plus some others) and provides an output that includes the authroizations for the user and other properties like firstname, lastname etc.
What do I need to do to weave this into Spring 3.0 security module. Looks like I need to provide a custom AuthenticationProvider implementation (is this where I call the backend function?). Do I also need a custom UserDetails and UserDetailsService implementation which needs loadUserByName(String userName)?
Any pointers on good documentation for this? The reference that came with the download is okay, but doesn't help too much in terms of implementing custom security.
You only need to implement a UserDetailService, only when you like to make available some User details that's don't fit in the standard Spring User details class: org.springframework.security.core.userdetails.User you need to implement one for you're selves.
A good example you find here (just replace the hibernate stuff, with what ever you use for communicating with the backend).

Resources