I learn Grails and Spring Security plugin.
I don't know how to design sample web application with two layers: customer can view product and categories and order a product (if he/she is registered and logged in) and admin who can logged in to admin panel where he/she can manage categories and products (CRUD). My question is: should all users (admin and customer) be in one User class? I suppose that all apllication (catalog and admin panel) should be secured by Spring Security plugin.
If you're using the Spring Security plugin then the default behavior assumes all users are instances of the same class. You can distinguish between an administrator and a customer by checking what's returned by the roles property of the user class.
The plugin provides a service and various Grails tags that you can use to figure out whether a user is an administrator, a cusomer, is authenticated, etc.
yes all users should be one class. and then you assign roles to each user. for example a user can have the ROLE_USER, and another user can have the ROLE_USER,ROLE_ADMIN
Related
I have an internal web app for employees, which uses the OAuth 2.0 flow for authentication. That allows me to check the email address of the user authenticating, and check that they are in fact an employee.
I would like to be able to assign custom roles to users, for example "Support", and then be able to check during authentication what roles the user have, so my application can perform authorization accordingly. I'd like the roles to be manageable through the G Suite admin dashboard as much as possible.
Can someone point me in the right direction on how to implement this?
I am designing a login page (Thymeleaf and Spring security) and want to provide user option to chose his role during login . A user can have admin and/or user role . I am using spring security for authentication purpose. I am stuck at this and could not find a way out.
What you can do is :--
1.) Choose/Save a number or some identical word to figure out your User & Admin.
For Example - 1 is for Admin & 2 is for User.
2.) Put your admin/user role in Session so that you could identify the user role throughout your web application.
PS - i know its a old school method but still very effective.
I am working on a ASP.NET MVC 5 app which depends on multi-tenant authentication using Azure Active Directory. I have authorization setup globally by adding AuthorizeAttribute filter. Now I want the app to be accessible only by users who belong to particular Directory Roles (Global Administrators and User Administrators to be specific). What is the best way to enforce this?
Roles in the principal only contains app specific roles. I was hoping that one of the identity claims would certify standard directory roles. But only claim that is relevant is the "groups" claim that tells me what Directory Roles AND Application Groups the user belongs to. I then need to query each group object ID to see if one of them is a Directory Role I want to allow.
Also, is there a way to do this globally by adding it as a filter?
Varun, in the coming weeks we are planning to add a new claim in the token that contains the well-known identifiers of the directory roles that the user belongs to. Stay tuned for that.
Until then the best option is to query the Graph API at login, determine the directory roles the user belongs to, and inject claims of type role in the claims principal. This will enable an authorize attribute filter.
Hope that helps.
I have a list of all users in my Grails app and I want to see users roles on this list. How can I get this? My app uses Spring Security plugin.
Thanks in advance
If you're using the default domains User and Role you should be able to se who's who by doing for example UserRole.list().
But the name of the domain-class may differ if your domain for users isn't called User and the same thing goes for your roles.
We have a website with 2 user groups: the admin group and the customer group. The groups have different restrictions set up hence the admin group sees one set of products and the customer groups sees another. We're using a custom server based on Tomcat 6.0.29. We're also using Spring Security.
Is it possible with Spring to allow the admin to see a page from the customer group's perspective without forcing a log out of the admin user? If so, is there a link available showing the spring code?
Thanks! :)
Krt_Malta
I found my answer over here:
Different user restrictions in same session
The SwitchUserFilter in Spring Security allows switching of users without a logout :)