We have a website with 2 user groups: the admin group and the customer group. The groups have different restrictions set up hence the admin group sees one set of products and the customer groups sees another. We're using a custom server based on Tomcat 6.0.29. We're also using Spring Security.
Is it possible with Spring to allow the admin to see a page from the customer group's perspective without forcing a log out of the admin user? If so, is there a link available showing the spring code?
Thanks! :)
Krt_Malta
I found my answer over here:
Different user restrictions in same session
The SwitchUserFilter in Spring Security allows switching of users without a logout :)
Related
I am designing a login page (Thymeleaf and Spring security) and want to provide user option to chose his role during login . A user can have admin and/or user role . I am using spring security for authentication purpose. I am stuck at this and could not find a way out.
What you can do is :--
1.) Choose/Save a number or some identical word to figure out your User & Admin.
For Example - 1 is for Admin & 2 is for User.
2.) Put your admin/user role in Session so that you could identify the user role throughout your web application.
PS - i know its a old school method but still very effective.
I am using Spring security core & Spring security UI in my project. I have a requirement in which i need to create 2 different type of users: Sellers and Buyers. When user goto home page he can select what type of account he wants to create either buyer or seller.
What i have to do it make it work with spring security UI plugin. Do i have to create different Registration pages for different type of users. But then how i can assign roles at the time of registration.
I checked various questions posted before posting this question and could not find the right answer. I am new to Grails and will appreciate if Grails experts can help me with this issue.
I hope I have understood your question, I was a bit confused about mixing login with registration in your question.
Once you have created your user create UserRole based on the selected role, either ROLE_BUYER or ROLE_SELLER. This can be done in UserController create method.
As for login you don't need to have two different logins, you can always create a filter, interceptor, or any aspect oriented technique to intercept the request and redirect user to the proper section of your site. This way you're authorization is loosely coupled. Imho, there is no need to use Spring Security UI for authorization specific goals. Spring Security Core does much better job wrt url mapping/annotations.
Spring security gurus,
I am new to spring security so please bear with me if my questions are not clear.
I am trying to implement role based access control using spring security 3.x. Individual users are stored in Windows AD without groups so we cannot simply map groups to authorities as some samples demonstrated.
So my plan is to use Windows AD for authentication purpose only, but the user <-> roles relationship to be maintained by Spring security itself.
However, mapping individual user to roles would be very tedious so my question is if possible to configure users <-> groups <-> roles in spring security but the authentication part has to be done by Windows AD?
As spring security is highly flexible I believe my requirements are achievable. Can someone give some pointers on where I should look at please?
The more details the better for newbies like me :=)
Thank you in advance.
Aaron Li
EDIT 1: To add onto my question in particular, can I utilize the Spring database tables authorities, groups, group_authorities, group_members to implement a simple role based authroization logic? But I can't use "users" table as ealier explained the user details will have to be stored in Windows AD so the authentication of the users need to be done using Windows AD.
Any advices?
Thanks
Aaron
First some clarification on the terminology: Authorities, usually consisting of roles in Spring Security, are application-wide permissions. ACLs (Access Control Lists) on the other hand, specify permissions on specific domain objects. Just as you understand the difference. AD usually contains authorities/roles, but not ACLs.
If you don't want to use the authorities from AD, you can do your own implementation of UserDetailsContextMapper and inject it in your instance of ActiveDirectoryLdapAuthenticationProvider. See the Spring Security reference documentation how to specify a custom authentication-provider.
If you want to use the tables (authorities etc) of reference schema, you can use JdbcDaoImpl to load the user details. You then have to insert the users in the users table but not any passwords since authentication is done through AD. If you want to get rid of the users table however, you must customize the implementation.
I have a list of all users in my Grails app and I want to see users roles on this list. How can I get this? My app uses Spring Security plugin.
Thanks in advance
If you're using the default domains User and Role you should be able to se who's who by doing for example UserRole.list().
But the name of the domain-class may differ if your domain for users isn't called User and the same thing goes for your roles.
I learn Grails and Spring Security plugin.
I don't know how to design sample web application with two layers: customer can view product and categories and order a product (if he/she is registered and logged in) and admin who can logged in to admin panel where he/she can manage categories and products (CRUD). My question is: should all users (admin and customer) be in one User class? I suppose that all apllication (catalog and admin panel) should be secured by Spring Security plugin.
If you're using the Spring Security plugin then the default behavior assumes all users are instances of the same class. You can distinguish between an administrator and a customer by checking what's returned by the roles property of the user class.
The plugin provides a service and various Grails tags that you can use to figure out whether a user is an administrator, a cusomer, is authenticated, etc.
yes all users should be one class. and then you assign roles to each user. for example a user can have the ROLE_USER, and another user can have the ROLE_USER,ROLE_ADMIN