Grails Spring Security plugin: logout not working - grails

I just add the spring-security-plugin to my grails project. everything looks working fine. but when I try to logout the app shows me the logout message, however the application is still logged-in!
My Config files is the following:
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.useBasicAuth = true
grails.plugins.springsecurity.userLookup.userDomainClassName = 'malibu.server.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'malibu.server.UserRole'
grails.plugins.springsecurity.authority.className = 'malibu.server.Role'
cheers

Since you're using Basic auth, your browser must be caching your credentials and logging you back in.

Just session.invalidate() before redirect.
class LogoutController {
/**
* Index action. Redirects to the Spring security logout uri.
*/
def index = {
session.invalidate()
redirect [whatever]
}
}

Related

How do you implement BasicHttpAuthentication in grails 2.0 using shiro? Any shinning example?

My current project set up already has shiro 1.1.4 and it uses login and logout. For instance, the project already set up grails shiro start.The project utilizes securityFilter.groovy, AuthController.groovy, and BootStrap.groovy. The plugin is configured through BuildConfig.groovy.
Do I need shiro.ini file?
How do I set up a non-interactive login with basic http authentication?
I also use in an old grails 2.4.2 Project the abbility to connect to a few controllers via HttpBasicAuth.
In generall the application is secured through Apache-Shiro, but I have 2 packages/controllers in the application which needs BasicAuth.
Therefore I extendes the UrlMappings.groovy file:
class UrlMappings {
static mappings = {
group("/api") {
"/api/$action?/$id?(.${format})?"(controller: 'api')
}
group("/dw") {
"/dw/$action?/$id?(.${format})?"(controller: 'dw')
}
...
and the Config.groovy with:
security {
shiro {
authc.required = false
filter.config = """\
[filters]
# HTTP Basic authentication
authcBasic = org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
authcBasic.applicationName = MyGrailsApp API
[urls]
/api/** = authcBasic
/dw/** = authcBasic
"""
}
}

Spring SAML redirect URL after login which contains # character

I am using Spring SAML for my application and I faced a problem with redirect URL after logged in successfully.
I am trying to save the URL before login to the app.
For example, When I access the link as http://localhost:8080/myapp/#request/123/details, spring-security will redirect to the login page.
I expected that after logged in successfully, the app auto redirect to the above URL. I have configured sucessRedirectHandler by using SavedRequestAwareAuthenticationSuccessHandler.
But, after logging in, the application redirects to https://localhost:8080/myapp/.
I also debugged and saw that the request URL does not contains "#request/123/details" part.
Do you have any ideas for this case?
Thank you.
Have you tried setting SAMLEntryPoint options, which preserves the requested URL as relay state.Check below code
#Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint entryPoint = new SAMLEntryPoint();
entryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return entryPoint;
}
#Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions options = new WebSSOProfileOptions();
options .setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
options.setRelayState(current-SP-URL);
return options;
}

Redirect to login page after session timeout grails

I am using grails 2.3.4 and spring security core 2.0 RC2 and spring security ui 1.0 RC1. Every thing is working fine but when ever there is session time out I get following error "Error in grail layout main" because I have called session variable in my layout's main.gsp file.Now I want to redirect to login page after every session timeout and dont show the error page.To redirect after session time out i have done it in bootstrap.groovy file as
def structureMap1 = Requestmap.findByUrl("/institution/index") ?: new Requestmap(url: "/institution/index",configAttribute: "ROLE_INSTITUTION").save(failOnError:true)
but there are so many pages so it is difficult to write for every page . Is there any other method to do it please help.
How about using SecurityFilters you can place it in your conf folder:
class SecurityFilters {
def filters = {
catchRememberMeCookie(url: "/**") {
before = {
if (!session.user) {
def g = new org.codehaus.groovy.grails.plugins.web.taglib.ApplicationTagLib()
def confirmurl= g.createLink(controller: controllerName, action: actionName, params:params, absolute: 'true' )
session.lastURL=request.getHeader('referer') ?: confirmurl
redirect(controller:'auth',action:'denied')
return false
}
}
}
This segment is an example and will not answer your question at hand since there is insufficient information to give a detailed answer but with a security filter - this sits above all your requests and if you need it to redirect to another location based on a specific value etc then you can so if no session.user do something else which will then kick in for all your actions

How to clear apache shiro session?

I used apache shiro session for the authentication and authorization.
Am able to login with different user and permission and roles but actual problem is whenever i call a signOut function looks like shiro session is not getting wiped off.
The evident for this is whenever i clicked logout it comes main screen and if i use browser back button i can go back for the last screen.
My signOut function looks like this
// Log the user out of the application.
SecurityUtils.subject?.logout()
webRequest.getCurrentRequest().session = null
session.invalidate()
// For now, redirect back to the home page.
redirect(uri: "/")
Any help on this really appreciated struggling for this from past 2 days
This works for me with version version 1.1.4 of the shiro plugin.
def logOut() {
SecurityUtils.subject?.logout()
redirect(uri: "/")
}
This is due to browser cache. You can configure to reset your browser cache in ShiroSecurityFilters file.
class ShiroSecurityFilters {
def filters = {
requestHeadersFilter(controller: '*', action: '*') {
after = {
response.setHeader("Pragma", "no-cache")
response.setDateHeader("Expires", 0)
response.setHeader("Cache-Control", "no-cache")
response.addHeader("Cache-Control", "no-store")
}
}

How to force a programmatic logout using Grails / Spring Security Core?

How can i force a programmatic logout for a logged in user using Spring Security Core? I do not want to redirect to the logout page etc.. but need to do it in a service.
This is another approach. I get the logout handlers from bean "logoutHandlers" and do logout in each one of then:
def logoutHandlers
def logout(request,response) {
Authentication auth = SecurityContextHolder.context.authentication
if (auth) {
logoutHandlers.each { handler->
handler.logout(request,response,auth)
}
}
}
I used the following code to achieve my goal:
Authentication auth = SecurityContextHolder.context.authentication
new SecurityContextLogoutHandler().logout(request, response, auth);
new PersistentTokenBasedRememberMeServices().logout(request, response, auth);

Resources