These are chat archives for alvarosanchez/spring-security-rest

19th
Dec 2014
Álvaro Sánchez-Mariscal
@alvarosanchez
Dec 19 2014 08:45
@florent-blanvillain you should have a look at #131. There is lots of useful information there
@florent-blanvillain ok, I just read your latest comment :) Few comments on your code
1) To get the current principal you don't need to load it again. Just use springSecurityService.principal (inject that bean in your controller)
2) The header name can be customised in Config.groovy, so you better don't hardcode it just in case
3) Inject tokenGenerator bean instead of manually building an instance of one of them
Oh, forget about 1), I just realised is not the current principal, but the new one...
Álvaro Sánchez-Mariscal
@alvarosanchez
Dec 19 2014 08:54
@skini26 about the OAuth delegation support, it is only for web based applications because I use the implicit grant support of those providers
To access the current user you can use springSecurityService.currentUser
Regarding the exploit you mention, if you are not using it, you can disable the login endpoint. Otherwise, you should have to generate a random password to avoid that
Florent Blanvillain
@florent-blanvillain
Dec 19 2014 12:51
@alvarosanchez thanks :-D
Yanis Ikene
@yanisIk
Dec 19 2014 18:55

@alvarosanchez thanks :) (I know the code I wrote has a lot of wrong things, sorry about that, I just figured them out after but I can't edit anymore).

Another question : Is there a controller already available for registering users ? I found nothing in SS core, maybe I missed it.
And the springSecurityService.currentUser will return me the Spring Security User and not my custom User. So do you suggest me to modify the generated User by SpringSecurity Core (as suggested by their documentation), or to extend it or to have a reference to it ?

Thanks.