Grails Spring Security Plugin - Username escaping problem - grails

I'm currently working with Grails and the Spring Security plugin and trying to implement a password expiration workflow. I've configured the plugin as expected:
grails.plugins.springsecurity.failureHandler.exceptionMappings = [
'org.springframework.security.authentication.CredentialsExpiredException': '/login/passwordExpired'
]
and in my passwordExpired action if I call:
def username = session['SPRING_SECURITY_LAST_USERNAME']
then in the username the HTML special characters are going to be escaped like
my_user => my_user
my-user => my-user
Is it possible to turn this escaping off?
Ritesh mentioned here spring_security_last_username that the SPRING_SECURITY_LAST_USERNAME is deprecated, so what else can I use?
For any help, thanks in advance!

The String 'SPRING_SECURITY_LAST_USERNAME' isn't deprecated - the old constant with that value is and has been moved with a new name but the same value. So your code will continue to be valid.
Rather than changing things to not escape, you can un-escape easily:
import org.apache.commons.lang.StringEscapeUtils
...
String username = StringEscapeUtils.unescapeHtml(session['SPRING_SECURITY_LAST_USERNAME'])

You don't need to use a tool. Use Grails HTML codec:
username = session['SPRING_SECURITY_LAST_USERNAME']?.decodeHTML()

Related

AWS CDK DocDB::DBCluster fails with 'not a valid password'

I am trying to use AWS CKD (JAVA) to create a DocumentDB instance.
This works with a "simple" plaintext password, but fails when I try to use a DatabaseSecret and a password stored in Secrets Manager.
The error I get is this:
1:44:42 PM | CREATE_FAILED | AWS::DocDB::DBCluster | ApiDocDb15EB2C21
The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '#', '"', ' ' may
be used. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: c786d247-8ff2-4f30-9a8a-5
065fc89d3d1; Proxy: null)
which is clear enough, but it continues to happen, even if I set the password to something such as simplepassword - so I am now somewhat confused as to what am I supposed to fix now.
Here is the code, mostly adapted from the DocDB documentation:
String id = String.format(DOCDB_PASSWORD_ID);
return DatabaseSecret.Builder.create(scope, id)
.secretName(store.getSsmSecretName())
.encryptionKey(passwordKey)
.username(store.getAdminUser())
.build();
where the ssmSecretName is the name of the secret in SecretManager:
└─( aws secretsmanager get-secret-value --secret-id api-db-admin-pwd
ARN: arn:aws:secretsmanager:us-west-2:<ACCT>:secret:api-db-admin-pwd-HHxpFf
Name: api-db-admin-pwd
SecretString: '{"api-db-admin-pwd":"simplepassword"}'
This is the code used to build the DbCluster:
DatabaseCluster dbCluster = DatabaseCluster.Builder.create(scope, id)
.dbClusterName(properties.getDbName())
.masterUser(Login.builder()
.username(properties.getAdminUser())
.kmsKey(passwordKey)
.password(masterPassword.getSecretValue())
.build())
.vpc(vpc)
.vpcSubnets(ISOLATED_SUBNETS)
.securityGroup(dbSecurityGroup)
.instanceType(InstanceType.of(InstanceClass.MEMORY5, InstanceSize.LARGE))
.instances(properties.getReplicas())
.storageEncrypted(true)
.build();
The question I have is: should I use a DatabaseSecret? or just retrieve the password from SM and be done with it?
A sub-question then: what is one supposed to use the DatabaseSecret for then?
(NOTE -- this is the same class, almost, as in the rds package; but here I am using the docdb package)
Thanks for any suggestion!
Turns out that the DatabaseSecret creates a key/value pair as the secret:
{
"username": <value of username()>,
"password": <generated>
}
However, the call to Login.password() completely ingnores this, and treats the whole JSON body as the password (so the " double quotes trip it).
The trick is to use DatabaseSecret.secretValueFromJson("password") in the call to Login.password() and it works just fine.
This is (incidentally) inconsistent with the behavior of rds.DatabaseCluster and the rds.Credentials class behavior (who take a JSON SecretValue and parse it correctly for the "password" field).
Leaving it here in case others stumble on this, as there really is NO information out there.

Check Login data in Code

I'm writing an API for my Website. For Auth. i use ZfcUser. Is it possible to check the Login Data?. Like my API get per Post username/email and the password. Now i want to check if the username/email and password are correct. Also i want create a User in Code. But my problem is that the same password in ZfcUser has different hashs. I know that ZfcUser use Bycrypt but i don't know how the Cost is. In ZfcUser i found this Line:
$bcrypt->setCost($this->getOptions()->getPasswordCost());
ZfcUser: https://github.com/ZF-Commons/ZfcUser
mfg ternes3
I have found the solution by my self :D. The default Cost is 10. And it's possible to verify the Password with Bcrypt.
$bycrypt->verify($pass, $passhash);
You get a boolean with this method ;D
The second solution is:
$newUser = new User();
$newUser->user_id = '';
$newUser->email = '';
$password = ''
$bcrypt = new Bcrypt();
$bcrypt->setCost(10);
$newUser->password = $bcrypt->create($password);
$userT->saveUser($newUser);
mfg ternes3

Need an example of groovy-wslite POST with multiple parameters

I need to make a secure POST to https://example.com/api/login with parameters Username and Password. I'm trying to use the wslite plugin with Grails, but I can't figure out the syntax. I've checked the unit tests at github, but none of them have given me what I need. Maybe I'm just failing to connect the dots.
Anyway, does anyone have an example of multiple parameters to a POST? Thanks!
Try following example to post your request.
def client = new RESTClient("https://example.com/api/login")
// for testing only!
client.httpClient.sslTrustAllCerts = true
def response = client.post() {
charset "UTF-8"
urlenc username: "test", password: "test" // here you can provide your params as a map
}

Spring security , password with non-English characters like "š, č, ć, ž, đ" login failed

I have Grails app with spring-security-core plugin. In my conf/spring/resources.groovy file I defined
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder
beans = {
passwordEncoder(PlaintextPasswordEncoder)
}
so I can save plain text passwords in MySql DB like it was explained here Spring security no password encoding
in views/login/auth.gsp I also added in <head> block
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
and in Datasource.groovy
url = "jdbc:mysql://localhost:3306/blabla?useUnicode=true&characterEncoding=utf8"
I created User with username = ččč and password = ččč succesfully , but when I try to login with this user I get login error "Sorry, we were not able to find a user with that username and password." I checked database and user exists with those field values.
I tried to login with some other user that has username = admin , password = admin , and it works fine.
So I guess that it has something to do with j_username and j_password not accepting non-English characters ... How to enable login form fields to accept utf-8 character set?
I have:
Grails 1.3.7
Spring-Security-Core 1.2.6
STS 2.8.1
mysql-connector-java-5.1.18
Windows 7
First advice: don't use plaintext passwords. Second advice: check what SQL queries are sent to database. You need this in your Config.groovy to see Hibernate statements and its parameter values:
log4j = {
debug 'org.hibernate.SQL'
trace 'org.hibernate.type'
}

trouble viewing h2 db used in grails project

I'm trying to have a look at the tables generated in h2 db used in Grails project, but something's amiss.
I connect to the browser console at http://127.0.1.1:8082/ but all that's there to browse is INFORMATION_SCHEMA and Users. How do I get tho the tables used/generated by the app?
Just started building out the app and only few domain classes are in place and I'm trying to get a feel for working h2. Prior to that I've been using PostgreSql in all projects so this is very unnerving for the moment.
Thanks in advance
Are you using the right JDBC URL when logging in?
The default in grails is jdbc:h2:mem:devDB.
When an non-existing URL is given, like jdbc:h2:blabla, an empty database is created, with the default INFORMATION_SCHEMA and Users as you described.
Make sure you connect to the URL where your grails application stores its tables. You can find the URL in $GRAILS_PROJECT/config/DataSource.groovy, after the url definition.
environments {
development {
dataSource {
pooled = false
logSql = false
username = "sa"
password = ""
dialect = "com.hp.opr.hibernate.dialect.H2Dialect"
driverClassName = "org.h2.Driver"
dbCreate = "create-drop"
url = "jdbc:h2:mem:devDB;DB_CLOSE_DELAY=-1;MVCC=TRUE"
}
}
}
If you're using 2.0 the web console is enabled by default in dev mode and can be enabled in other environments: http://grails.org/doc/2.0.0.M2/guide/conf.html#databaseConsole
If you're not using 2.0 yet you can install the http://grails.org/plugin/dbconsole plugin or follow the link to my blog post and set it up yourself if you want to customize the url (or if you're using Grails pre-1.3.6 since the plugin has an artificial version restriction to 1.3.6+)
... so in datasource I changed the url to: url = "jdbc:h2:rswDb" (removing the 'mem' part and changing the name of the db). Then 3 db files showed up in the root dir of the project.
Next, in db console set the jdbc url to: jdbc url: jdbc:h2:~/work/web/rsw/rswDb
... and when I hit 'connect' all the tables were there!
Thanks again!

Resources