Is it possible for two different Grails project, also having different domains, to share a session/cookie?
Let's say I have 2 sites: www.mycompany.com, and, www.othercompany.com. Assume that both sites are having same domains, and same database and records too. What I want to know is if this code:
authenticateService.userDomain()
or even the
authenticateService.isLoggedIn()
will behave and return exactly the same object/result whether it is called in either of the site.
Basically, what we need is a solution for sharing/identifying logged in user between two different sites. Need more details on how to implement this using acegi 0.5.2 and grails 1.2.1.
Hoping for any leads on this. Thank you.
Regarding cross-domain authentication the only thing that comes into my mind is using a single-sign-on service. There are a few open-source SSO implementations available, among them:
CAS
OpenSSO
Josso
Tomcat also has a SingleSingOn valve
This list is by far not complete. Speaking of CAS it definitly works with Grails and Acegi.
Related
My problem:
I would love to use the Spring Security plugin's access control/authorization mechanism with my Grails application without having to use the plugin's authentication mechanism. The various Grails Spring Security plugin examples (like this one) I've found combine these two functions. Is there an easy way to just do access control?
Background:
I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
My app already has a user domain class.
The user domain class already handles encrypting passwords using BCrypt.
The app does not have a "role" domain class.
I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin's implementation.
On the right track, but not quite helpful:
I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don't want to reinvent wheels that have already been taken care of by the plugin.
In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin's domain classes elsewhere.
How to do it?
Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin's existing code?
You could go with a custom authentication provider and I have an updated version that I did as part of a recent talk. See this blog post which has a sample app and link to a video of the talk: http://burtbeckwith.com/blog/?p=1090
It would be simple to use a custom UserDetailsService - this is the most common customization done for the plugin and it so has its own chapter in the docs: http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Basically you need to create a Spring Security User instance and Spring Security (and the plugin) doesn't care how you get the data. So your custom UserDetailsService just needs to be a bridge between your current auth scheme and Spring Security.
I ended up creating my own access control/authorization mechanism rather than using the Spring Security plugin. I never could figure out how to separate the plugin's authentication mechanism from the authorization mechanism. Doing the work myself was very easy.
I did the following:
Created a new Role domain class.
Added a Set property and hasMany relationship to my User domain class.
Created a new AuthorizationFilters filter. This is where I put in my authorization rules. In this filter I can check to see if a user has the role necessary to access the given URL and redirect to a login page, redirect to a "not authorized page" or allow them to pass.
This doesn't have the nice syntactic sugar of the plugin and isn't quite as concise either, but it was very easy to implement and understand.
I have an old grails application (ex. one-app) that has springSecurity for logins. I created a new grails app (two-app) that uses multiple databases (the DB from one-app and a new one). I am deploying both using tomcat
ip.addr.10.10/one-app
ip.addr.10.10/two-app
My question is: I want to have access to both applications by logging in only once. Basically if the user logs in on either application, he would also have access to the other application without logging in again.
Is this possible? Thanks.
Yes, it is possible. You need to use SSO. Currently I use JOSSO for my grails applications (http://www.josso.org) combined with Spring Security.
You can configure RememberMe with exactly same configuration for both apps. After user login into any of application, Spring Security will setup special cookie, that can be reused from other app (mean athorized in another app as well).
See docs for Remember Me - http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/9%20Authentication.html#9.3%20Remember-Me%20Cookie
A 3rd option would be to use the same OpenID provider for both applications.
One other approach would be drop Cookies which can be read by both the applications.
Is there an easy way to share session between different war modules in jboss?
I have a Grails app running in jboss, but want to create a new Grails war module which looks & feels the same as the existing one (but, don't want user to login again). The domain will be same, for example, if I have war1 and war2, the domain should be
http://domain.com/war1 <-- login should be done here..
http://domain.com/war2
I searched through the web, but couldn't find an easy/or difficult way to do this.
Please help~.
No HTTP sessions are not shareable between servlets from different apps. What you really need is a Single Sign On solution. A poor man's SSO can be built with cookies but I wouldn't call it a very secure way. First session can set a cookie and the second session can read the same cookie - this will work as long as the domains are the same for both apps.
Good luck!
I mean need different:
Login URL
Login out url
session time url
authentication provider
error page
css
for different entry point.
Is this possible?
From 3.1.0 (which is currently beta) it will support multiple <http> elements in the namespace.
So short answer:
In 3.1.x yes.
In 3.0.5.RELEASE no.
Longer aswer:
Here is additional info, check the links in the comments also.
I had a similar problem once, since I had multiple entry points.
A good way IMO would be to make a new login page which decides which login page to redirect to or even calls the logic of the other entry points. Then you can point spring to the new page.
I'm pretty sure this can be done inside the filter chain, but I wouldn't recommend it since you will need a lot of manual coding and bean definitions. Generally I don't think 3.0.5 was designed for multiple entry points.
With multiple <http../> elements, you can achieve most of what you want but the authentication manager is going to be common and that means authentication providers are going to be common. See the issue faced by #David Parks in the post Spring Security 3.1.0.RC1: With multiple elements why can I only register one authentication manager?.
You can see my answers to similar questions such as Configuring Spring Security 3.x to have multiple entry points and Authenticate user using external webservice in grails to develop custom code to execute entry point specific authentication providers. This can be implemented in 3.0.5 as well.
You can implement solution in 3.0.5 without multiple <http../> elements but you will be need to develop custom code to handle logout and error pages.
There is org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint
since 3.0.2.
It might help.
I'm building some applications using rails.
All apps using restful auth plugin for User base and declarative authorization plugin for authorization rules.
But I need to merge all site's User accounts to one User base for providing login for all sites.
I.e like 37signals working on. Here is their work ;
http://37signals.com/accounts
How can I archieve this, any suggestions are welcome.
Thanks
A.Karr
From studying how 37signals was doing stuff - I think they're using RubyCAS http://github.com/gunark/rubycas-server
It's perfect for single sign-on, single sign-off and other related stuff - when you have multiple independent applications. Also, because CAS is a generic protocol, it exists for non-ruby/rails applications too. SO you can integrate legacy systems or client applications in Java etc.
I started building a set of how-tos on the subject here:
http://rubyglasses.blogspot.com/2009/12/rails-single-sign-on-with-rubycas.html
Have you thought about using open id?
If all your apps run on the same domain you shouldn't have any problems accessing the authentication cookie in all the apps, but you'll need to store the authentication state somewhere where all the applications can access it.