Announcement Announcement Module
Collapse
No announcement yet.
spring security vs. vFabric tc Server Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring security vs. vFabric tc Server

    Hi, I don't know whether this is spring security plugin related or rather vFabric tc Server related.
    Using ggts (v3.2.0, grails: 2.2.1), I have the following effect:
    I've built an application with the spring security plugin and strarted with s2-quickstart (2 classes: User/Role).
    My problem is that under vFabric tc Server (2.6 as well as 2.8) spring security doesn't seem to work. It lets me log in, but then displays "access denied" on protected resources. Using any other stand alone tomcat installation or the grails built-in tomcat just works fine!

    The relevant lines from BootStrap.groovy:
    Code:
    		def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush:true)
    		def userRole = new Role(authority: 'ROLE_USER').save(flush: true)
    		
    		def accounta = new User(username: 'a', enabled: true, password: 'a', accountExpired: false, accountLocked: false, passwordExpired: false, client: null).save(flush:true) 
    		def accountb = new User(username: 'b', enabled: true, password: 'b', accountExpired: false, accountLocked: false, passwordExpired: false, client: null).save(flush:true) 
    		def accountc = new User(username: 'c', enabled: true, password: 'c', accountExpired: false, accountLocked: false, passwordExpired: false, client: null).save(flush:true) 
    
    		UserRole.create accounta, userRole, true
    		UserRole.create accountb, userRole, true
    		UserRole.create accountc, userRole, true
    With that I've secured a controller using an annotation:
    Code:
    @Secured(['ROLE_USER'])
    class ClientController {...
    And of course the standard yadayada from the docs apply, e.g. Config.groovy:
    Code:
    grails.plugins.springsecurity.userLookup.userDomainClassName = 'sample.User'
    grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'sample.UserRole'
    grails.plugins.springsecurity.authority.className = 'sample.Role'
    I'm clueless. Any advice? TIA!

    PS: adding debug output of the spring security plugin.
    Code:
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - Converted URL to lowercase, from: '/client/index'; to: '/client/index'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - Candidate is: '/client/index'; pattern is /**; matched=true
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG context.HttpSessionSecurityContextRepository  - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]3338c: Authentication: or
    g.springframework.security.authentication.UsernamePasswordAuthenticationToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credential
    sNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; Sessi
    onId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO_ROLES'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG rememberme.RememberMeAuthenticationFilter  - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticat
    ionToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_
    NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO_
    ROLES'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG authentication.AnonymousAuthenticationFilter  - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthentica
    tionToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE
    _NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO
    _ROLES'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy  - /client/index at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /client/index; Attributes: [ROLE_USER]
    2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG intercept.FilterSecurityInterceptor  - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.s
    pringsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: 
    org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO_ROLES
    2013-03-29 16:16:40,924 [tomcat-http--39] DEBUG hierarchicalroles.RoleHierarchyImpl  - getReachableGrantedAuthorities() - From the roles [ROLE_NO_ROLES] one can reach [ROLE_NO_ROLES] in zero or more steps.
    2013-03-29 16:16:40,956 [tomcat-http--39] DEBUG access.ExceptionTranslationFilter  - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
    org.springframework.security.access.AccessDeniedException: Access is denied
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    	at java.lang.Thread.run(Thread.java:722)
    Last edited by wondermike; Mar 29th, 2013, 11:40 AM. Reason: added log

  • #2
    [SOLVED] spring security vs. vFabric tc Server

    SOLVED.

    It was a matter of different environments. I thought war files deployed to vfabric tc server under ggts are being deployed under development environment, but it was production. In the other environment, for some reason, the table for UserRole couldn't be created and thus the spring security plugin couldn't function. Providing the correct datasource solved the problem.

    Regards Michael

    Comment

    Working...
    X