How do I implement a "Remember Me" function in Grails so that the user can check it and he won't have to log in again for 2 weeks?
I'm using the jSecurity plugin and want to change the cookie's lifetime beyond the browser session.
JSecurity already supports RememberMe functionality. Take a look at the AuthorizationController, you'll find that it supports parameter "rememberMe."
To implement a two-week time-out, I'd add another cookie and modify AuthorizationController to behave accordingly. There may be that functionality in JSecurity, not sure about that - doesn't seem the controller respects it.
Spring security (formerly acegi security) has this built-in, if you can use that plugin.
otherwise, the other posted solutions work nicely.
Related
I'm working on a Spring web application (not Spring Boot) that uses Spring Security 5.3.3, Spring Security OAuth 2.5.0, and configures it like this:
http.authorizeRequests().
antMatchers(permitUrls).
permitAll().
anyRequest().
authenticated().
and().
oauth2ResourceServer().
jwt();
Our clients report occasional 401 responses which we can't find in our application logs, so we assume it's from the Spring Security itself. We would like to log authentication and authorization failures, but I'm confused as to what is the current preferred method to achieve that.
A quick search reveals 4 paths:
custom AuthenticationFailureHandler (seems like this one is only available in FormLoginConfigurer, which isn't our case)
custom AuthenticationEntryPoint (this one is available with JWT, but OAuth2AuthenticationEntryPoint which I was going to extend is deprecated with an unhelpful message). I could try using HttpStatusEntryPoint instead, but I'd like to avoid changing the current behavior of my app, just want to add logging.
custom Filter (probably, not the cleanest path)
AuditApplicationEvents — looks beautiful, but seems like it's for Spring Boot only.
Could anyone provide me with some guidance on this?
I suggest activating the logger of org.springframework.security by changing its log level to DEBUG.
Based on your log tools (log4j2, logback, ...) create a logger in your log configurations with name org.springframework.security and level DEBUG.
I have searched enough but I haven't got a clear answer and thus posting this question.
I have an existing application which uses spring security for authentication.
Current implementation uses a custom implementation of UsernamePasswordAuthenticationFilter for doing this.
Thus the flow is something like below(in very simple terms):
inputrequest>DelegatingFilterProxy>LoginUrlAuthenticationEntryPoint>CustomUsernamePasswordAuthenticationFilter>AuthenticationManager>CustomAuthenticationProvider
Now I have a requirement to implement SSO (since the user is already asusmed to be authenticated) in some scenarios.
The requirement states that if I have a specific request parameter present then I need to automatically authenticate the request without bothering about user/password.
So it is same set of resources and I do not have to authenticate user/password if the specific SSO related request parameter is present.
e.g
suppose a resource \test\bus is a secure resource.
if I come from normal way then we need to check if the user is authenticated or nor and force user to put valid user/password
if I come from SSO channel then I need to show the \test\bus resource as the user is already authenticated.
currently all the access restrictions are put through <http> element
e.g the snippet of security-config.xml is as follows:
Query: What options do I have in this case. I can think of below options:
Pre-authenticate the user before spring security framework kicks in. This will mean creating an authentication token and putting in spring context before spring security filter is called. This can be done through another filter which is called before spring security filter chain. I have tested it and it works.
Create another custom security filter which set-up the authentication token. I am not clear if this is correct approach as not sure when do we create multiple custom security filter
Create another custom authentication provider e.g SSOCustomAuthenticationProvider. This provider will be called in the existing current flow as we can have multiple authentication providers to a authentication manager. The only issue is that in order to achieve this I have to change the request url to authentication filter's target url so that spring security doesn't check for authentication.
to explain more,
let's say request uri is /test/bus, I will write a filter which will intercept the request and change it to /test/startlogin. This is currently my CustomUsernamePasswordAuthenticationFilter's target url i.e
<property name="filterProcessesUrl" value="/test/startlogin"/>
The flow will be
inputrequest>DelegatingFilterProxy>LoginUrlAuthenticationEntryPoint>CustomUsernamePasswordAuthenticationFilter>AuthenticationManager>SSOCustomAuthenticationProvider
I have tested this and this works. Is this a valid approach or a hack.
Is there any other viable option available with me.
Thanks for reading this.
Here is the issue:
We have to implement two-step login process. First step - user enters name/password and is being authenticated. Second step - user may be presented with secondary select screen where he chooses an option via simple click. When this is done user is finally authorized for certain set of actions. This concludes authentication/authorization process for current user session.
We do use Spring Security in its standard form: first login screen is handled by default Spring Security stack and as soon as user is in - Spring considers the login process done.
The secondary selection screen is completely outside of Spring Security and all we do upon user selection is set the properly configured object back into security context. This works for current session as expected.
We do have remember-me functionality as well which is implemented via checkbox named _spring_security_remember_me in the first login screen and also an overridden UserDetailsService bean.
The remember-me works fine for as long as there is no secondary select screen option. Since the secondary screen has nothing to do with Spring Security, the remember-me mechanism would not be activated for secondary option and all it is capable of is to remember only the first login step. This results with having to ask remembered user the option and we are tasked to avoid this.
Having both login form and secondary selection on the same page is not an option.
We could use additional cookie if the secondary selection is required and based on that cookie "silently" pass the needed parameter when authenticating. But this would mean that we have to do bunch of manual stuff which Spring Security "ought" to offer, also this puts some security logic and tokens outside of Spring managed security and remember-me functionality.
So here is the question to security gurus: how to "force" remember-me functionality to accept the secondary presented option? If it was possible for Remember-Me filter to "inspect" the passed URL and identify that remember-me option is chosen, we could add this parameter. But this does not sound like it is possible.
Is it possible/feasible to use yet another login form on secondary screen and "silently" pass just needed additional parameters? I know we won't include the user name/password in this case, at least not in clear form. The option sounds like it can be done, but I am still believing that there might be an easier way to just force the Remember-Me to do what it does. Or is there?
Thanks,
Nikolay
You could store the last selected option for each user in the database. Then you implement an AuthenticationSuccessHandler that reads the stored option from the database and sets it in the security context. If the option is not found, the user is redirected to the selection screen.
This should work regardless of the authentication type (form, basic or remember-be) only if you are using Spring Security 3.1 or later, as the possibility to register an AuthenticationSuccessHandler has been introduced in that version. There's a discussion on this topic in the Spring Forums.
I'm writing a pair of aspects. The first is to trap usernames when users successfully authenticate against my web app and the other is to trap when they explicitly logout. I'm having trouble finding Spring framework methods which are called only once and which will therefore let me capture this information.
We are using a basic Spring Security 3.0 configuration, with our only additions being to provide our own UserDetailsService implementation.
Can anyone help?
It turns out that this was completely the wrong way to do this. Spring has a set of baked-in ApplicationEvent classes which you can create ApplicationListeners to catch. Strangely, there seems to be no "LogoutEvent" but there are the very useful AuthenticationSuccessEvent, AbstractAuthenticationFailureEvent, HttpSessionCreationEvent and HttpSessionDestroyedEvent. Most interesting of all is the RequestHandledEvent.
To catch these I created my own bean which implemented
org.springframework.context.ApplicationListener;
and overrode
public void onApplicationEvent(ApplicationEvent appEvent)
In this I just if/else my way through the various appEvent types and take the appropriate actions to track users and sessions.
I have a Flex UI that will need to connect to Rails. How do I manage authentication and only authenticated user's can connect and see their own data only? UPDATE: And how would I do this if I should not want to use RubyAMF (right or wrong)?
I would say auth_logic might be a better plugin for handling authentication. If you use RubyAMF with auth_logic you will make a call to UserSession.create and pass in the username and password. You may also want to check out Weborb for communicating with Flex, it uses RTMP and depending on your needs it may be a better fit.
Check out RubyAMF, it is super easy to set up and use and enables you to call controller methods directly from flash and return actionscript objects.
homepage: http://blog.rubyamf.org/
google code: http://code.google.com/p/rubyamf/
First, for RubyAMF, check out this link: http://unitedmindset.com/jonbcampos/2009/05/30/ruby-on-rails-with-flex/
Next, for the authenticated users, just use Restful Authentication, a ruby plugin:
http://techno-weenie.net/2006/8/1/restful-authentication-plugin
If you make the smallest change to the authentication failed function in the plugin, your app with throw fault events when a user tries to access a service that they aren't authenticated to access.