Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 18 18:31
    dbaylerg commented #396
  • Sep 04 15:27

    alvarosanchez on develop

    Update README.md Merge pull request #404 from ab… (compare)

  • Sep 04 15:27
    alvarosanchez closed #404
  • Sep 04 14:53
    abrahaj opened #404
  • Aug 30 15:25
    alvarosanchez commented #402
  • Aug 30 15:24

    alvarosanchez on 2.x

    Issue #391 - Don't allow refres… Split refresh and access load m… Switch travis to openjdk8 since… and 3 more (compare)

  • Aug 30 15:24
    alvarosanchez closed #402
  • Aug 30 15:14
    alvarosanchez commented #402
  • Aug 30 14:55
    longwa synchronize #402
  • Aug 30 14:47
    longwa commented #402
  • Aug 30 14:03
    longwa commented #402
  • Aug 30 14:02
    longwa synchronize #402
  • Aug 30 11:55
    longwa commented #402
  • Aug 30 11:52
    longwa commented #403
  • Aug 30 09:22
    alvarosanchez commented #403
  • Aug 30 09:16
    alvarosanchez commented #402
  • Aug 30 09:15

    alvarosanchez on 2.x

    Attempt to fix failing tests (compare)

  • Aug 30 09:01
    alvarosanchez commented #402
  • Aug 30 08:18

    alvarosanchez on 2.x

    Publishing RestTokenCreationEve… Merge pull request #401 from lo… (compare)

sbrady
@sbrady
great thanks
ferasodh
@ferasodh
Hi alvarosanchez
Can I use spring-security-rest as a replacement of Oauth?
ferasodh
@ferasodh
My app has server side part and java script client side where I found that your plugin fits. But I want to be able to authenticate other clients who want to consume my service. Does your plugin support this? or do you suggest using another approach?
Aaron Eischeid
@aeischeid
having this in my url mappings :
name api1: "/api/$controller"{
action = [GET: "list", POST: "save"]
format = "json"
}
might be causing my issue, but I not sure what to put in there instead to handle the default login, logout and, verify paths
as it is I am getting a hard to understand infinite loop when I try to login.
any thoughts?
Aaron Eischeid
@aeischeid
hmmm, changed grails.plugin.springsecurity.rest.login.endpointUrl = '/api/gettoken' to avoid the loginController I had in place from springSecurityUI, now the error happens at api/gettoken and api/login works as it did bfore. but still not sure how to get this token plugin working.
a bit from the stacktrace that seemed relevant:
javax.servlet.ServletException: Servlet execution threw an exception
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
at com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter.doFilter(RestAuthenticationFilter.groovy:108)
at grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter.doFilter(RequestHolderAuthenticationFilter.java:49)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:82)
at com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter.doFilter(RestLogoutFilter.groovy:63)
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
I am trying to track this down through the source, but so far not figuring much out
Aaron Eischeid
@aeischeid
okay, think I figured this out. didn't have my full package path for the GORM domain class. only had the domainClass name. AuthToken instead of com.my.path.AuthToken
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh I have replied to you in SO
Sebastian Ortiz
@neoecos
@alvarosanchez what you think about the pull request i made ?
ferasodh
@ferasodh
This message was deleted
This message was deleted
@alvarosanchez What about access token expiration? It seems like it doesn't expire. Isn't this a security threat as most users didn't log out? Is there a way to have refresh token?
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh tokens do expire when using Memcached. If you're using GORM, you'll have to handle token expiration by yourself via Quartz jobs or similar
@neoecos I have to look deeply at them. Thank you for contributing anyway!
ferasodh
@ferasodh
@alvarosanchez If using Memcached is their a way to refresh token?
Álvaro Sánchez-Mariscal
@alvarosanchez
In Memcached they will expire automatically after the configured timeout (1h by default)
They get refreshed on every access
ferasodh
@ferasodh
Thanks alvarosanchez.
I have a question about Delegating authentication to OAuth providers In case of successful authentication in facebook or twitter does user information logged in database or it is just kept in application level?
I mean I want a way to have those personal information of users logged through facebook or twitter in database how can I do that?
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh the details don't get logged
If you want to do that, you need to override OauthController with your own implementation
ferasodh
@ferasodh
Thanks alvaro
I got 400 bad request when I tried to access api/login
do you have any idea how to solve this?
I but the following properties in config
grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess=true
grails.plugin.springsecurity.rest.login.active =true
grails.plugin.springsecurity.rest.login.endpointUrl ='/api/login'
grails.plugin.springsecurity.rest.login.failureStatusCode =401
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh a bad request implies something missing in the request. How are you making it?
Aaron Eischeid
@aeischeid
seems like you're experiencing similar to #137
the bearerTokenReader probably should never be gotten to in the case of an anonymousAccess url. but if it is reached it will give a 400 if a token is not included in either the header or body or if the content type is not 'application/x-www-form-urlencoded'. The comments say it should also look in the query string but I don't think it actually does that. (see #130)
nikuelias
@nikuelias
Hola Alvaro, gracias por contestarme por twitter. Queria conocer si existe la posiblidad de que cuando hay un login (tanto Successfull como Failed), pueda además de devolver un 200 o 401, pueda mandar un json con un formato como {"status":"Error","message":"User and password not found"}. Como lo podría hacer? Muchas gracias
Álvaro Sánchez-Mariscal
@alvarosanchez
@nikuelias tienes que implementar tu propia versión de org.springframework.security.web.authentication.AuthenticationFailureHandler, y registrarla en resources.groovy como restAuthenticationFailureHandler
sbrady
@sbrady
Hi All, I am attempting to run the test-app.sh, I keep getting:
| Error Compilation error compiling [unit] tests: (class: com/odobo/grails/plugin/springsecurity/rest/RestAuthenticationToken, method: super$1$implies signature: (Ljavax/security/auth/Subject;)Z) Illegal use of nonvirtual function call (Use --stacktrace to see the full trace)
I am using Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
maybe its a groovy version issue?
sbrady
@sbrady
never mind grails clean seemed to fix it
sbrady
@sbrady
Hey @alvarosanchez , thanks for the release
I have a question/suggestion re rfc6750, I think when a user makes a request to a secured url with out any token, it should respond with a 401, (https://tools.ietf.org/html/rfc6750#section-3.1)
I'd expect to get a 403, when I have an authenticated token but my access scope is forbidden
prdonahue
@prdonahue
anyone here having trouble implementing the anonymous example in the docs?
i just wrote a (pretty meaty) explanation here: alvarosanchez/grails-spring-security-rest#122
nikuelias
@nikuelias
Hola Alvaro, soy yo nuevamente. Gracias por contestarme la vez pasada. Tengo una nueva duda. Quiero filtrar los usuarios que pueden loguearse. Para eso, me parece que lo que debería hacer es reescribir la clase "RestAuthenticationFIlter.groovy" verdad? Si es así, como debería hacerlo? Crear en mi carpeta src/groovy un package con el mismo nombre y una clase con el mismo nombre y sobreescribir el metodo Do FIlter? O lo estoy haciendo mal? Ya que no estoy logrando poder capturar el evento. Me da constantemente errores de java. Bueno espero su respuesta, espero haber sido claro. Además de esto, debería escribir algo en resources.groovy? Gracias desde ya, Nicolas.
Álvaro Sánchez-Mariscal
@alvarosanchez
@sbrady I addressed that issue in the latest release, I think