Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Álvaro Sánchez-Mariscal
@alvarosanchez
allright then
Tushar Saxena
@tushar-saxena
Hi. do we need to run s2- quickstart in spring security rest plugin?
Álvaro Sánchez-Mariscal
@alvarosanchez
@tushar-saxena not for the REST plugin, but you might do it for the Core plugin
Tushar Saxena
@tushar-saxena
@alvarosanchez thanks
willowsmyth
@willowsmyth
Hi, I have a working application without SS-core and SS-rest, but as soon as I install both of the plugins, requesting appname/index.gsp (as well as api/login) renders a 404.
willowsmyth
@willowsmyth
Finally got an error out of grails that lead to a change to file: ./target/work/plugins/cors-1.1.6/CorsGrailsPlugin.groovy. Had to change plugins.springsecurity to plugin.springsecurity
I was using compile ':spring-security-core:2.0-SNAPSHOT' & compile ":spring-security-rest:1.5.0.M2"
dcalleg
@dcalleg
@alvarosanchez , Hi Alvaro, I'm new using your plugin. I need to do a oauth authentication from mobile apps. Is it possible do that with this plugin?
Thanks
Álvaro Sánchez-Mariscal
@alvarosanchez
@dcalleg you need OAuth with 3rd party providers like Google/Facebook/Twitter?
If that's the case, then yes, the plugin is useful
If you need to become your own OAuth provider, then I recommend you this: https://grails.org/plugin/spring-security-oauth2-provider
@neoecos very good point about JWT, I will think about a generic plugin
dcalleg
@dcalleg
@alvarosanchez , Thanks
dcalleg
@dcalleg
@alvarosanchez , I decided to use your plugin , I'm using the plugin to secure my api rest.
But I would like to have two ways to authenticate users.
1)with username and password (by default in the plugin)
2)With another user's field in my bd.
What is the best way to solve it?
Thanks
Sebastian Ortiz
@neoecos
Hi @alvarosanchez , i'm planning to add support for JWE for a controller, using shared secret to enable secure communication between two REST services. I really appreciate if we can discuss a reusable way to implement that, and maybe release one plugin. Thank you.
I'm not sure if use a custom serializer/deserializer, a filter, a base controller like the RestfullController.
Álvaro Sánchez-Mariscal
@alvarosanchez
@dcalleg you need to implement your own authentication provider: http://grails-plugins.github.io/grails-spring-security-core/guide/authenticationProviders.html
@neoecos I don't plan to work on such plugin in the short term, so go ahead with it
If I were going to do it, I would do it the same as the JSON renderers
eg:
respond [foo: bar] as JWT
jadelus
@jadelus
@alvarosanchez - Hi Alvaro, Thanks for the REST plugin - it rocks! One question: I am currently using GORM for storage and I noticed that if I call /api/login multiple times it generates multiple instances of the authentication token in the database. Is this expected behavior? I would have expected it to check if there is already an authentication token present for the user (if they are authenticated) and if so just return that token rather than generate a new one (provided it hasn't expired). Or I could just be doing something wrong. Thanks for your help!
Diego Cardozo
@dlcardozo
@jadelus Think about mobile devices and a desk machine, you can login from both places without disconnect the other device/machine.
jadelus
@jadelus
@alvarosanchez Thanks for your response. I could understand that if I was using multiple clients but I'm only using the one desktop client right now (the Google Chrome Postman REST client).
Gokhan Dogramaci
@dogramacigokhan
Hi everyone, I have a problem with failure handling. I tried to achieve custom error handling but couldn't do it without modifying the source code of the plugin. One way was the adding a custom filter to spring and trying to catch the error and add things to the output stream or changing the status code. But it didn't work because of the plugin ends the filter chain if something goes wrong. Then I tried to set a custom handler instead of the RestAuthenticationFailureHandler but I couldn't do it, too. Is there any chance to add this feature to the plugin? Like setting a variable in the Config.groovy file someting like grails.plugin.springsecurity.rest.login.failureHandler='com.xxx.OurCustomHandler'? I can create a pull request for that. Thanks in advance.
Álvaro Sánchez-Mariscal
@alvarosanchez
@jadelus the initial design didn't consider the need to lookup for existing tokens generated, because the initial implementation (Memcached) you can get the user details given the token, but not the other way around
It could be solved by handling reverse lookup entries, so the token storage stores both directions at the same time
in Grails cache, the implementation would be similar
and in GORM, is easily solvable too
however, in JWT, as there is no real state not storage at all, there is no way to solve it
I don't see a major issue generating a token every time, as they will expire anyway
Álvaro Sánchez-Mariscal
@alvarosanchez
@dogramacigokhan all you have to do is to register your own implementation of an AuthenticationFailureHandler in resources.groovy with the bean name restAuthenticationFailureHandler
Sufyan Shoaib
@sufyanshoaib
I have having logout issue with rest plugin, i have posted my question here: http://stackoverflow.com/questions/29514288/logout-api-error-rest-spring-security-plugin-in-grails @alvarosanchez .. any idea?
Álvaro Sánchez-Mariscal
@alvarosanchez
@sufyanshoaib answered you on SO
jadelus
@jadelus
@alvarosanchez thank you for the clarification.
Sufyan Shoaib
@sufyanshoaib
@alvarosanchez thanks for the reply, but issue is i have java 6, with which it wont work.. giving unable to resolve class java.nio.charset.StandardCharsets error
Álvaro Sánchez-Mariscal
@alvarosanchez
@sufyanshoaib there is no significant version changes between 1.4.0 and 1.4.1. Could you please run grails clean-all && grails compile?
Germán M. Gomez
@ggomez1973
Hi Alvaro, I can't seem to find a working sample of the plugin. Does anyone have a sample that i can clone and run to get an idea of what i need to do. Thanks in advance
jadelus
@jadelus
Hi @alvarosanchez, I would like to have the plugin pay attention to the user properties accountLocked and accountEnabled - i.e. rejecting any calls to /api if the account is locked or not enabled, if that /api is fully authenticated and even if a valid token is passed. It doesn’t look like the plugin pays any attention to these attributes. Is there a legitimate way I can override the plugin and enable this behavior, or is this a feature that could be added? Thanks.
Álvaro Sánchez-Mariscal
@alvarosanchez
@ggomez1973 replied to you on Twitter
Álvaro Sánchez-Mariscal
@alvarosanchez
@jadelus the rest plugin doesn't care about those properties, because the core plugin does
In fact, the plugin is agnostic with regards authentication. It all depends on the configured providers
This is a snippet from the core plugin:
        preAuthenticationChecks(DefaultPreAuthenticationChecks)
        postAuthenticationChecks(DefaultPostAuthenticationChecks)

        daoAuthenticationProvider(DaoAuthenticationProvider) {
            userDetailsService = ref('userDetailsService')
            passwordEncoder = ref('passwordEncoder')
            userCache = ref('userCache')
            saltSource = ref('saltSource')
            preAuthenticationChecks = ref('preAuthenticationChecks')
            postAuthenticationChecks = ref('postAuthenticationChecks')
            authoritiesMapper = ref('authoritiesMapper')
            hideUserNotFoundExceptions = conf.dao.hideUserNotFoundExceptions // true
        }
and DefaultPreAuthenticationChecks does this:
    public void check(UserDetails user) {
        if (!user.isAccountNonLocked()) {
            log.debug("User account is locked");

            throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
                "User account is locked"));
        }

        if (!user.isEnabled()) {
            log.debug("User account is disabled");

            throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",
                "User is disabled"));
        }

        if (!user.isAccountNonExpired()) {
            log.debug("User account is expired");

            throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired",
                "User account has expired"));
        }
    }
jadelus
@jadelus
Thanks for the response @alvarosanchez. I guess the checks in DefaultPreAuthenticationChecks only get called on login and don’t get called as part of the stateless filter chain. I was looking for a way to prevent access at some point after successful login by setting accountLocked to true, but it seems that’s not the way things work. I wanted to check accountLocked at the time the token is authenticated on any protected REST api call and fail the call if it’s set.
Álvaro Sánchez-Mariscal
@alvarosanchez
Oh, you want to check it on every request? That's also a different behaviour than the core plugin too. Let me figure out where you should override things to achieve that
jadelus
@jadelus
@alvarosanchez thinking about it more perhaps a simpler way for me to go is just set the locked property and remove the authentication token to force a login which will fail ...
Álvaro Sánchez-Mariscal
@alvarosanchez
you can easily do it on every request by replacing grails.plugin.springsecurity.rest.RestAuthenticationProvider with your own implementation