Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Oct 16 14:15
    armmen synchronize #405
  • Oct 16 14:03
    armmen opened #405
  • Oct 07 10:49
    6footGeek commented #391
  • Oct 04 09:29
  • Oct 01 07:49
    naveenmishra100 commented #382
  • Sep 18 18:31
    dbaylerg commented #396
  • Sep 04 15:27

    alvarosanchez on develop

    Update README.md Merge pull request #404 from ab… (compare)

  • Sep 04 15:27
    alvarosanchez closed #404
  • Sep 04 14:53
    abrahaj opened #404
  • Aug 30 15:25
    alvarosanchez commented #402
  • Aug 30 15:24

    alvarosanchez on 2.x

    Issue #391 - Don't allow refres… Split refresh and access load m… Switch travis to openjdk8 since… and 3 more (compare)

  • Aug 30 15:24
    alvarosanchez closed #402
  • Aug 30 15:14
    alvarosanchez commented #402
  • Aug 30 14:55
    longwa synchronize #402
  • Aug 30 14:47
    longwa commented #402
  • Aug 30 14:03
    longwa commented #402
  • Aug 30 14:02
    longwa synchronize #402
  • Aug 30 11:55
    longwa commented #402
Aaron Eischeid
@aeischeid
okay, think I figured this out. didn't have my full package path for the GORM domain class. only had the domainClass name. AuthToken instead of com.my.path.AuthToken
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh I have replied to you in SO
Sebastian Ortiz
@neoecos
@alvarosanchez what you think about the pull request i made ?
ferasodh
@ferasodh
This message was deleted
This message was deleted
@alvarosanchez What about access token expiration? It seems like it doesn't expire. Isn't this a security threat as most users didn't log out? Is there a way to have refresh token?
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh tokens do expire when using Memcached. If you're using GORM, you'll have to handle token expiration by yourself via Quartz jobs or similar
@neoecos I have to look deeply at them. Thank you for contributing anyway!
ferasodh
@ferasodh
@alvarosanchez If using Memcached is their a way to refresh token?
Álvaro Sánchez-Mariscal
@alvarosanchez
In Memcached they will expire automatically after the configured timeout (1h by default)
They get refreshed on every access
ferasodh
@ferasodh
Thanks alvarosanchez.
I have a question about Delegating authentication to OAuth providers In case of successful authentication in facebook or twitter does user information logged in database or it is just kept in application level?
I mean I want a way to have those personal information of users logged through facebook or twitter in database how can I do that?
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh the details don't get logged
If you want to do that, you need to override OauthController with your own implementation
ferasodh
@ferasodh
Thanks alvaro
I got 400 bad request when I tried to access api/login
do you have any idea how to solve this?
I but the following properties in config
grails.plugin.springsecurity.rest.token.validation.enableAnonymousAccess=true
grails.plugin.springsecurity.rest.login.active =true
grails.plugin.springsecurity.rest.login.endpointUrl ='/api/login'
grails.plugin.springsecurity.rest.login.failureStatusCode =401
Álvaro Sánchez-Mariscal
@alvarosanchez
@ferasodh a bad request implies something missing in the request. How are you making it?
Aaron Eischeid
@aeischeid
seems like you're experiencing similar to #137
the bearerTokenReader probably should never be gotten to in the case of an anonymousAccess url. but if it is reached it will give a 400 if a token is not included in either the header or body or if the content type is not 'application/x-www-form-urlencoded'. The comments say it should also look in the query string but I don't think it actually does that. (see #130)
nikuelias
@nikuelias
Hola Alvaro, gracias por contestarme por twitter. Queria conocer si existe la posiblidad de que cuando hay un login (tanto Successfull como Failed), pueda además de devolver un 200 o 401, pueda mandar un json con un formato como {"status":"Error","message":"User and password not found"}. Como lo podría hacer? Muchas gracias
Álvaro Sánchez-Mariscal
@alvarosanchez
@nikuelias tienes que implementar tu propia versión de org.springframework.security.web.authentication.AuthenticationFailureHandler, y registrarla en resources.groovy como restAuthenticationFailureHandler
sbrady
@sbrady
Hi All, I am attempting to run the test-app.sh, I keep getting:
| Error Compilation error compiling [unit] tests: (class: com/odobo/grails/plugin/springsecurity/rest/RestAuthenticationToken, method: super$1$implies signature: (Ljavax/security/auth/Subject;)Z) Illegal use of nonvirtual function call (Use --stacktrace to see the full trace)
I am using Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
maybe its a groovy version issue?
sbrady
@sbrady
never mind grails clean seemed to fix it
sbrady
@sbrady
Hey @alvarosanchez , thanks for the release
I have a question/suggestion re rfc6750, I think when a user makes a request to a secured url with out any token, it should respond with a 401, (https://tools.ietf.org/html/rfc6750#section-3.1)
I'd expect to get a 403, when I have an authenticated token but my access scope is forbidden
prdonahue
@prdonahue
anyone here having trouble implementing the anonymous example in the docs?
i just wrote a (pretty meaty) explanation here: alvarosanchez/grails-spring-security-rest#122
nikuelias
@nikuelias
Hola Alvaro, soy yo nuevamente. Gracias por contestarme la vez pasada. Tengo una nueva duda. Quiero filtrar los usuarios que pueden loguearse. Para eso, me parece que lo que debería hacer es reescribir la clase "RestAuthenticationFIlter.groovy" verdad? Si es así, como debería hacerlo? Crear en mi carpeta src/groovy un package con el mismo nombre y una clase con el mismo nombre y sobreescribir el metodo Do FIlter? O lo estoy haciendo mal? Ya que no estoy logrando poder capturar el evento. Me da constantemente errores de java. Bueno espero su respuesta, espero haber sido claro. Además de esto, debería escribir algo en resources.groovy? Gracias desde ya, Nicolas.
Álvaro Sánchez-Mariscal
@alvarosanchez
@sbrady I addressed that issue in the latest release, I think
@nikuelias please better write in English on this channel, so that everybody can understand and/or help. Regarding your question, not sure what do you mean by "filter users". Could you clarify that?
nikuelias
@nikuelias

Sorry. I will give a try in english :). I want to do this:

When a user logs in, I want to check some data to let him log in or not. I need to create user with "expiration date" so when the users logs in, i need to check if the date is between startDate and endDate. To do this, i thought to check this data in the RestAuthenticationFilter. So, to do thi i dont really know how to. Do I need to create a class with the same name and package en my project? Because when I do this, all kinds of errors appear in my project. And, i think, I should modify resources.groovy but i dont really know how to either. Hope you can help me and understand me. Thanks a lot Alvaro.

sbrady
@sbrady
@alvarosanchez if I look at the BearerTokenSpec.groovy, it expects 403 In some places, where is should probably be 401...I think
Álvaro Sánchez-Mariscal
@alvarosanchez
@nikuelias assuming you are using GORM for storing users, you can subclass DaoAuthenticationProvider
eg
class ExpiringUsersAuthenticationProvider extends DaoAuthenticationProvider
and then override additionalAuthenticationChecks()
void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
    super.additionalAuthenticationChecks(userDetails, authentication)

    //... your code ...
}
finally, you have to register the bean in resources.groovy
Álvaro Sánchez-Mariscal
@alvarosanchez
        daoAuthenticationProvider(ExpiringUsersAuthenticationProvider) {
            userDetailsService = ref('userDetailsService')
            passwordEncoder = ref('passwordEncoder')
            userCache = ref('userCache')
            saltSource = ref('saltSource')
            preAuthenticationChecks = ref('preAuthenticationChecks')
            postAuthenticationChecks = ref('postAuthenticationChecks')
            authoritiesMapper = ref('authoritiesMapper')
            hideUserNotFoundExceptions = SpringSecurityUtils.securityConfig.dao.hideUserNotFoundExceptions // true
        }
Álvaro Sánchez-Mariscal
@alvarosanchez
@sbrady let me have a closer look
nikuelias
@nikuelias
Thanks a lot @alvarosanchez i will try and give an update to you!
Todsaporn Sangboon
@nolifelover
I have some trouble about loop on filter from spring-security-rest, on each request it take long time to process and render view. after enable logging, I found getReachableGrantedAuthorities() many time call. I post new issue on alvarosanchez/grails-spring-security-rest#148
Thank you and apologize for my english.