Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
gabrielmds
@gabrielmds
Hello Alvaro, I am using spring-security-rest to authenticate users in a REST API and I had to let the client know if the account was locked ou expired. I added some code to BearerTokenAuthenticationFailureHandler to add de proper header messages.Is that recommended? Thank you
MadhuAithal
@MadhuAithal
Hello Alvaro, I wanted to know if I can use spring-security-rest 1.4 with grails 2.1.1 and spring-security-core 1.2.7. If that is not possible what version of spring-security-rest would you recommend and what functionality would I miss?
Álvaro Sánchez-Mariscal
@alvarosanchez
sorry guys, I was on vacation :)
I replied to the stackoverflow question I've seen so far
@gabrielmds yes, that is fine
@MadhuAithal it's not possible. SS core 1.x and 2.x have API changes that will make the REST plugin to not compile at all. I'm afraid you'll have to upgrade to spring-security-core 2.x
Minhaj
@minhajkk
Hi @alvarosanchez My Validation Endpoint is not working? I dont find any example using Validation Endpoint just to validate the token.
Álvaro Sánchez-Mariscal
@alvarosanchez
@minhajkk what is not working? What is your application base URL? How are you making the request?
sbrady
@sbrady
I am getting "Caused by InvalidMimeTypeException: Invalid mime type "null": 'mimeType' must not be empty" I am using ,spring-security-core:2.0-RC4,spring-security-rest:1.4.0. I can see there were some pull requests around this. has it been solved yet?
Álvaro Sánchez-Mariscal
@alvarosanchez
@sbrady see #116
sbrady
@sbrady
great thanks
ferasodh
@ferasodh
Hi alvarosanchez
Can I use spring-security-rest as a replacement of Oauth?
ferasodh
@ferasodh
My app has server side part and java script client side where I found that your plugin fits. But I want to be able to authenticate other clients who want to consume my service. Does your plugin support this? or do you suggest using another approach?
Aaron Eischeid
@aeischeid
having this in my url mappings :
name api1: "/api/$controller"{
action = [GET: "list", POST: "save"]
format = "json"
}
might be causing my issue, but I not sure what to put in there instead to handle the default login, logout and, verify paths
as it is I am getting a hard to understand infinite loop when I try to login.
any thoughts?
Aaron Eischeid
@aeischeid
hmmm, changed grails.plugin.springsecurity.rest.login.endpointUrl = '/api/gettoken' to avoid the loginController I had in place from springSecurityUI, now the error happens at api/gettoken and api/login works as it did bfore. but still not sure how to get this token plugin working.
a bit from the stacktrace that seemed relevant:
javax.servlet.ServletException: Servlet execution threw an exception
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
at com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter.doFilter(RestAuthenticationFilter.groovy:108)
at grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter.doFilter(RequestHolderAuthenticationFilter.java:49)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:82)
at com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter.doFilter(RestLogoutFilter.groovy:63)
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
I am trying to track this down through the source, but so far not figuring much out
Aaron Eischeid
@aeischeid
okay, think I figured this out. didn't have my full package path for the GORM domain class. only had the domainClass name. AuthToken instead of com.my.path.AuthToken
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh I have replied to you in SO
Sebastian Ortiz
@neoecos
@alvarosanchez what you think about the pull request i made ?
ferasodh
@ferasodh
This message was deleted
This message was deleted
@alvarosanchez What about access token expiration? It seems like it doesn't expire. Isn't this a security threat as most users didn't log out? Is there a way to have refresh token?
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh tokens do expire when using Memcached. If you're using GORM, you'll have to handle token expiration by yourself via Quartz jobs or similar
@neoecos I have to look deeply at them. Thank you for contributing anyway!
ferasodh
@ferasodh
@alvarosanchez If using Memcached is their a way to refresh token?
Álvaro Sánchez-Mariscal
@alvarosanchez
In Memcached they will expire automatically after the configured timeout (1h by default)
They get refreshed on every access
ferasodh
@ferasodh
Thanks alvarosanchez.
I have a question about Delegating authentication to OAuth providers In case of successful authentication in facebook or twitter does user information logged in database or it is just kept in application level?
I mean I want a way to have those personal information of users logged through facebook or twitter in database how can I do that?
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh the details don't get logged
If you want to do that, you need to override OauthController with your own implementation
ferasodh
@ferasodh
Thanks alvaro
I got 400 bad request when I tried to access api/login
do you have any idea how to solve this?
I but the following properties in config
grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess=true
grails.plugin.springsecurity.rest.login.active =true
grails.plugin.springsecurity.rest.login.endpointUrl ='/api/login'
grails.plugin.springsecurity.rest.login.failureStatusCode =401
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh a bad request implies something missing in the request. How are you making it?
Aaron Eischeid
@aeischeid
seems like you're experiencing similar to #137
the bearerTokenReader probably should never be gotten to in the case of an anonymousAccess url. but if it is reached it will give a 400 if a token is not included in either the header or body or if the content type is not 'application/x-www-form-urlencoded'. The comments say it should also look in the query string but I don't think it actually does that. (see #130)
nikuelias
@nikuelias
Hola Alvaro, gracias por contestarme por twitter. Queria conocer si existe la posiblidad de que cuando hay un login (tanto Successfull como Failed), pueda además de devolver un 200 o 401, pueda mandar un json con un formato como {"status":"Error","message":"User and password not found"}. Como lo podría hacer? Muchas gracias
Álvaro Sánchez-Mariscal
@alvarosanchez
@nikuelias tienes que implementar tu propia versión de org.springframework.security.web.authentication.AuthenticationFailureHandler, y registrarla en resources.groovy como restAuthenticationFailureHandler