Announcement Announcement Module
Collapse
No announcement yet.
Grails & Spring security troubles, looking for some insights? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Grails & Spring security troubles, looking for some insights?

    Hello all,

    Yesterday I started upgrading our Grails app from Acegi plugin 0.5.2 to the Spring security plugin. I'm running into a few issues, maybe anyone can help here?

    After making the necessary changes (as documented by Burt Beckwith on http://burtbeckwith.github.com/grail.../manual/guide/) I was able to start the Grails app once again (woohoo!). However, logging in didn't work anymore.

    Our situation is as follows: we use our Grails application pure for its application logic. Authentication is done using a username and password through webservices. As backends we use the database of the app (dao) and a LDAP backend. For now, we've disabled LDAP, to make testing easier.

    This is the code which does the authentication:
    Code:
    def authenticate(String username, String password) {
    try {
          println "Trying authentication with user " + username + " and password " + password + "."
          def tempToken = new UsernamePasswordAuthenticationToken(username, password)
          println "Temptoken is " + tempToken
          def token = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password))
          println "Authentication token received was: " + token
        } catch (AuthenticationException authenticationException) {
            return false
        }
        return true     
    }
    This prints to the log:

    Trying authentication with user admin and password admin.
    Temptoken is org.springframework.security.providers.UsernamePas swordAuthenticationToken@1f: Principal: admin; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities

    And then it all stops.

    The domain classes we use are rather straightforward. We do not use a class such as the User Role for the joins between people and their authorities. Instead we use a many-to-many mapping, as this has always worked for us and is easy to maintain.

    Our authority domain class:
    Code:
    class Authority {
    static hasMany = [people: Person]
    
    /** description */
    String description
    /** ROLE String */
    String authority = ''
    
    String authorityType
    
    static constraints = {
        authority(help:'x',class:'wide',blank: false,unique:true)
        description(help:'x',class:'extrawide')
        authorityType(help:'x',class:'wide')
        people(help:'x',selectSort:'username',display:false)
    }   
    
    String toString() {
          return authority;
    }   
    }
    And our Person domain class:
    Code:
    class Person  {
    
    static hasMany = [authorities: Authority]
    static belongsTo = Authority
    
    //Authority primaryGroup
    
    /** Username */
    String username
    /** User Real Name*/
    String userRealName
    String familyName
    String givenName
    
    /** MD5 Password */
    String passwd
    /** enabled */
    boolean enabled
    
    String email
    boolean emailShow
    
    /** description */
    String description = ''
    
    
    
    static constraints = {
        username(blank: false, unique: true,help:'x',class:'wide')
        userRealName(blank: false,help:'x',class:'wide')
        familyName(blank: false,help:'x',class:'wide')
        givenName(blank: false,help:'x',class:'wide')
        email(help:'x',class:'wide')
        emailShow(help:'x')
        enabled(help:'x')
        passwd(blank: false,password:true,show:false,help:'x',class:'wide')
        authorities(nullable:true,help:'x',sortable:true,selectSort:'authority')        
    }
    
    String toString() {
          return username;
      }
    }
    In Config.Groovy, we have defined:
    Code:
    security {
    grails.plugins.springsecurity.active = true
    
    cacheUsers = false
    
    grails.plugins.springsecurity.providerNames = ['daoAuthenticationProvider', 'anonymousAuthenticationProvider', 'rememberMeAuthenticationProvider']
    
    grails.plugins.springsecurity.userLookUp.userDomainClassName = "Person"
    grails.plugins.springsecurity.userLookup.passwordPropertyName = "passwd"
    grails.plugins.springsecurity.authority.className = "Authority"
    As far as the documentation goes, this should work by all means (and so it did for the "old" Acegi setup).

    To gather some more insights I briefly activated LDAP and found the same issue. WireShark told me that no LDAP calls were made during the login process. My guess would be that either there's something wrong with the code in the Authenticate function or SpringSecurity doesn't know how to pick up our domain classes.

    I'd be glad to read any insights!

  • #2
    My guess is that this is causing a problem:

    Code:
    security {
    grails.plugins.springsecurity.active = true
    
    cacheUsers = false
    Looks like a broken copy/paste from your old Acegi config file. Unfortunately malformed Config.groovy files fail silently when you get to an invalid line like the first one and the rest of the file is ignored.

    Also, "cacheUsers = false" should be "grails.plugins.springsecurity.cacheUsers = false" - all properties must be prefixed with "grails.plugins.springsecurity."

    Comment


    • #3
      Originally posted by burtbeckwith View Post
      My guess is that this is causing a problem:

      Code:
      security {
      grails.plugins.springsecurity.active = true
      
      cacheUsers = false
      Looks like a broken copy/paste from your old Acegi config file. Unfortunately malformed Config.groovy files fail silently when you get to an invalid line like the first one and the rest of the file is ignored.

      Also, "cacheUsers = false" should be "grails.plugins.springsecurity.cacheUsers = false" - all properties must be prefixed with "grails.plugins.springsecurity."
      Hi Burt,

      Thanks a lot for your reply!

      I didn't know that about the config files. So I just made the change but to no luck however. Next I'll try to get everything out, except for the needed parts and see if that does any good. In case you have more tips, I'd be glad to hear about'em.

      Best, Raj

      Comment


      • #4
        Originally posted by dn667 View Post
        Hi Burt,

        Thanks a lot for your reply!

        I didn't know that about the config files. So I just made the change but to no luck however. Next I'll try to get everything out, except for the needed parts and see if that does any good. In case you have more tips, I'd be glad to hear about'em.

        Best, Raj
        Hi there,

        I just gave it a try, but to no luck. I stripped down my Security to:

        Code:
        security {
        	grails.plugins.springsecurity.active = true
        	grails.plugins.springsecurity.cacheUsers = false
        	grails.plugins.springsecurity.userLookUp.userDomainClassName = "Person"
        	grails.plugins.springsecurity.authority.className = "Authority"
        	grails.plugins.springsecurity.userLookup.passwordPropertyName = "passwd"
        	grails.plugins.springsecurity.password.algorithm = "SHA-1"
        }
        I stil get an error that no access or authories were granted.

        Is there any way of debugging this? More suggestions are welcome too of course
        Last edited by dn667; Jun 6th, 2011, 01:46 AM.

        Comment


        • #5
          I think the problem is the 'security {}' block. You are setting options such as:
          Code:
          security.grails.plugins.springsecurity.active=...
          when in fact the option is simply:
          Code:
          grails.plugins.springsecurity.active=...

          Comment


          • #6
            Originally posted by pledbrook View Post
            I think the problem is the 'security {}' block. You are setting options such as:
            Code:
            security.grails.plugins.springsecurity.active=...
            when in fact the option is simply:
            Code:
            grails.plugins.springsecurity.active=...
            Hi Peter,

            Thanks for the suggestion. I did give it a try, but to no result. Same for prefixing all settings with security. and leaving the security block out.

            I just noticed this in my logs:

            Code:
            2011-06-06 16:54:51,319 [main] WARN  impl.SessionFactoryObjectFactory  - InitialContext did not implement EventContext
            2011-06-06 16:54:51,831 [main] DEBUG hierarchicalroles.RoleHierarchyImpl  - setHierarchy() - The following role hierarchy was set: 
            2011-06-06 16:54:56,334 [main] INFO  ldap.DefaultSpringSecurityContextSource  -  URL 'ldap://localhost:389', root DN is ''
            2011-06-06 16:54:58,490 [main] INFO  intercept.FilterSecurityInterceptor  - Validated configuration attributes
            2011-06-06 16:54:59,295 [main] INFO  search.FilterBasedLdapUserSearch  - SearchBase not set. Searches will be performed from the root:
            That's quite strange. The LDAP plugin is installed, but not configured. Also, as displayed on the second line, I read "The following role hierarchy was set: ". I presume some kind of list should follow (but doesn't). That could well be the problem, right?

            This error displays no matter what I configure in the config.groovy.

            I guess we need to dig a bit deeper...

            Comment

            Working...
            X