I have a grails 1.2 app and I want to use declarative security in order to restrict accesses based on roles. I decided to try shiro, installed the plugin, but when I try to authenticate, the message "Invalid username and/or password" shows up in the header. I check the db entry and the user is there with the sha'ed password. No messages are shown neither in the console nor in the stacktrace file. I added "warn 'org.jsecurity'" to Config.groovy with no results. Any hints/tricks to troubleshoot this ?
I ran into this problem as well... how are you saving the password for the user? After running quick start I followed the example on the Shiro plugin page and added the code below to my bootstrap init method:
import org.apache.shiro.crypto.hash.Sha512Hash
def user = new ShiroUser(username: "user123", passwordHash: new Sha512Hash("password").toHex())
user.save()
I would attempt to login and would continue to get a login failed. So I tried
def user = new ShiroUser(username:'admin', passwordHash:new Sha256Hash("admin").toHex())
user.save()
After changing from Sha512Hash to Sha256Hash... I was able to login!
UPDATE: Just created a new app with default Shiro Plugin settings after running 'quick-start'. If you are to create a user, you are going to want to use Sha256Hash out of the box. However, you can use Sha512Hash or Sha1Hash by adding the bean to your resources.groovy file for Spring.
Example for Sha512Hash:
beans = {
bean {
credentialMatcher(Sha512CredentialsMatcher) {
storedCredentialsHexEncoded = true
}
}
}
Did you run the quick-start? Are you using the default database realm?
I would debug through the Realm you're using and see what's going on.
I can't help with the shiro troubleshooting, but if you're looking for a more powerful solution you might want to check out nimble. It's based on shiro and offers a lot of additional features and flexibility.
You can install the latest with:
grails install-plugin nimble 0.4-SNAPSHOT
nimble documentation
Related
I'm trying to use this documentation in order to build a plugin to auto accept an inbound call. What I also want is the ability to turn auto answer on/off by a certain worker attribute. Here's what I have so far in my init(flex, manager) method :
if(manager.workerClient.attributes.[attribute name].includes('[attribute name')) {
manager.workerClient.on('reservationCreated', reservation => {
if (reservation.task.attributes.autoAnswer === 'true') {
flex.Actions.invokeAction('AcceptTask', {sid: reservation.sid});
flex.Actions.invokeAction('SelectTask', {sid: reservation.sid});
}
});
}
I've read through the documentation on accessing worker attributes and think I'm fine with getting the attribute name. However, I'm unsure of the auto answer portion.
Twilio developer evangelist here.
Your code looks correct, I have a similar example that I've used before here.
After discussing with you in the comments, if you set the plugins url to an empty string or null, then Flex will make an API request to look for plugins that it should load at flex.twilio.com/plugins, which only comprises of plugins that you have deployed. You should either set the url to your local /plugins to load the local version. Or you should deploy your plugin so that it can be loaded from flex.twilio.com/plugins in your environment.
Using Shiro spring boot starter 1.4.0 in Spring boot application and can't figure out how i can extract shiro principalCollection data into my thymeleaf templates to use in other expressions etc...
I store some lightweight user data in shiro and wanted to display a custom message using current users first name and last login time
for example:
<p th:text="#{welcome.lastlogin.message(${???.firstName},${???.lastLoginTime})}">..Hello, user, how are you today?..</p>
I did dump the session attribute to see what shiro is storing the principals as and i see this in session:
org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY = john.doe#somewhere.com,{userID=1,firstName=John, lastName=Doe, loginAttempts=0, lastLoginTime=Mon Jan 22 09:30:47 EST 2018}
My code uses a HashMap and adds it to the principals...
Is this even possible?
edit: I guess the other option is simply not use shiro principalCollection for this purpose and put my own object in session and use it from thymeleaf instead.
Take a look at thymeleaf-extras-shiro, It might do exactly what you are looking for. Otherwise, I'm guessing you would need to use principalCollection.getPrimaryPrincipal()
I'd like to employ dynamic request maps to secure controller actions.
This works fine for URLs as
/<controller>/show/*
<controller>/list
but fails with a "springSecurity.denied.message" e.g. for
/<controller>/create
when the instance shall be saved. The create-url requires:
/<controller>/save
to be added to the requestMap - then it does work.
For "delete" and "edit", I was unable to find a solution.
???What is the appropriate set of requestMap entries to allow for actions "edit" and "delete"???
Annotation can solve this - but the requestMap approach should also work.
STATUS
Grails version: 2.2.2
PLUGIN
springSecurityCore - 1.2.7.3 using SecurityConfigType.Requestmap
I'm relatively new to Spring, but very new to Spring Security and Grails. To be brief, I know its recommended to not allow .jsp files to be servable, you should toss them in WEB-INF, and set up your controllers to pull them from the right place.
How would I go about doing this in Grails? It seems that I would destroy the idea of "convention over configuration" by tossing gsp's into WEB-INF and then writing logic into all my controllers (if that's even immediately possible...) It seems I would have to alter some basic Grails configurations.
Any ideas?
OK, I haven't seen a complete answer for this here (or elsewhere one StackOverflow) that provides a full valid result, so here's what I've come up with:
First, create a new controller:
grails create-controller gspForbidden
Open this up, and add this to the index action:
index = {
response.status = 404
}
Then, open grails-app/conf/UrlMappings.groovy and add this under the static mappings closure:
"/grails-app/**.gsp"(controller:"gspForbidden")
This will redirect any attempts to view a GSP directly to the gspForbidden controller. That controller, in turn, simply renders a 404 - a file not found response. The best thing about this is that it's completely hidden - there's nothing showing that the GS path was correct, so there's less chance of exposing something important about the application design.
I tried repeatedly to figure out how to use UrlMappings to show a 404 without the controller, but I had no success. If you can think of a way, please let me know. I'd much rather have this happen without any explicit controllers.
Slight correction to earlier post:
Just adhering to the convention in Grails doesn't prevent someone who guesses where a gsp lives from hitting it directly (I just tried it, it works).
From Spring Security Plugin Documentation:
package com.testapp
import grails.plugins.springsecurity.Secured
class SecureController {
#Secured(['ROLE_ADMIN'])
def index = {
render 'Secure access only'
}
}
you can secure your GSP pages as the example above. Secured annotation will provide access only to a user if they have the admin rights.
for more information , refer to :
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
tutorials are nice as a start.
You actually don't need to worry about this in Grails. If you follow the conventions of using views and controllers it will handle all the details about making sure the GSP pages aren't directly accessible.
As far as integration with Spring Security is concerned, again if you follow one of the recommended patterns (URL security or annotation within your controllers) you should be fine.
i have a uri such as someController/someAction?param1=aa¶m2=bb
is there some method of grails can extract controller name and action name from this uri.
or shiro has any method to detect this uri is permitted?
i have a domain Menu(name,url), and now want to get the menu list which is permitted for current user.
url such as /auth/login(may be mapping as user:login), /user/login
so 2 days ago i ask this question.
now i change the menu to (name,controller,action,param),and filter the menulist like this:
def subject = SecurityUtils.subject;
menuList.each{
if(it.permission){
def perm = shiroPermissionResolver.resolvePermission("${it.permission.controller}:${it.permission.action}")
def isPermitted = subject.isPermitted(perm)
println "$isPermitted -> ${it.permission.controller}:${it.permission.action}"
}
}
sorry for my poor english,and thanks for reply.
btw,here is another question of how to cache shiro:
how to use cache permissions in grails shiro
To proflux:
so what do u think is the better way to store menulist?
cause:
it need to show different menu to user due to their permissions.
sometime we update a webapp, but want to show menu to user later.
so we only need to change such as a menu.visible. (better than change hard code cfg or source).
we areusing extjs to show the menu(so nav plugin cant use).
Shiro uses the convention of $controller:$action for permissions. You have two options:
Use the Shiro Tags
Use the Shiro API directly
In the first case, in your GSP you can add something like:
<shiro:hasPermission permission="someController:someAction">
<g:link...>
</shiro:hasPermission>
<shiro:lacksPermission permission="someController:someAction">
No link
</shiro:lacksPermission>
Alternatively, you can use the <g:if...> tag and use the
SecurityUtils.subject.isPermitted("someController:someAction")
method to directly check if the user has the necessary permission.
For more info, check out the Grails Shiro Tag Library Source and the Shiro API docs.