Grails Spring-security-ui plugin, not using password encryption - spring

So, I have been making an app, got the back end sorted, generated the user,role and userRole classes in the spring-security-core plugin,within a domain plugin, then used the override command on s2ui to make the login and register controllers, within the main app.
I have the email verification working perfectly and when I bootstrap my admin and customer users and roles, I can log in perfectly.
But if i register a user, and then click on the email link, it logs me in using that, but if I log out and try to log back in, it does not recognise the password.
I am using grails 4.0.5 with jvm 1.8, with the security-core plugin: 4.0.3 and security-ui plugin: 4.0.0.M1.
If there is any more info needed then please let me know, I have probably missed something silly.
Thanks in advance.

For anyone else with this issue, make sure you have this line in your application.groovy.
grails.plugin.springsecurity.ui.encodePassword = true

Related

Setting Projects to Private by Default

I have my SQ server running in Kubernetes (via Tectonic) and all is going well. We need to tighten the security of our SQ installation, so we have LDAP up and working. We are trying to get all of the projects to be Private by default (which we can do Via the GUI for each project).
However, trying to flip the switch in the GUI to make all new projects Private works, until you refresh the page, then it reverts back to Public.
I have been searching for a way to set this up via the sonar.properties file or sonar-project.properties file (first if the preferred). The server.properties file we use is encrypted as a secret (because the LDAP settings exposes a service account password) and I would like to keep settings there.
I have combed through documentation, posts, discussions and all that, but have not been able to find out what the value=key combination is.
Has anyone seen what this is or if we can even accomplish that? Is it a setting stored in the database? I'm kind of at a loss on this one.
Thanks!
In SonarQube 7.x you can find the public/private setting when you browse to Administration - Projects - Management. This only works for new projects. For existing projects you can use the "Edit the permissions" option on the same page and switch between public and private.
You can also use the web_api to achieve the same results. You can find the documentation when you add "/web_api/api/projects" after the sonarqube URL:
Example of the POST request body: project=MyProject&visibility=private

SFAuthorizationPluginView without UI

I have been crawling through various forums and blogs for an AuthorizationPlugin example or understanding which can show me how to create a mac authorization plugin that do not affect any UI components. I want to use it for a remote access kind of solution. I have been able to get NameAndPasswordPlugin example work. But I am not able to achieve below requirements:
Do not change the default UI. i.e not have any custom UI components
Ability to read and write into default UI fields, especially username (if any) and password
Work on need basis. i.e. I need the mechanism to pass through when remote access session is not ON. In that case I want it to fall back to loginwindow:login mechanism
Also how would it communicate with outside world ? I was not able to read or write into files from plugin. I saw an example where some pipes where used. not sure what the recommended method
You don't need a SFAuthorizationPluginView, you just need an authorization plugin. You insert your plugin into the list of plugins and it can read from contexts set by previous plugins and write to or create contexts for later plugins.
For example, if you are working with console login this bash command shows you what mechanisms are configured (mechanisms are instances of a plugin)
security authorizationdb read system.login.console
If you add your plugin after builtin:authenticate,privileged then you can use this code in your mechanismInvoke function to read the values.
err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, "username", &value);
if (err == noErr) {
//Log the event
os_log(OS_LOG_DEBUG, "Login for user '%{public}s'.",(const char *)value->data);
}
where mechanism->fPlugin->fCallbacks->GetHintValue and mechanism->fEngine are the callback and engineref you setup as part of your plugin. There is also a "SetContextValue" function for writing the username or password.
You will need to write an authorization plugin which will set the context values "username" (kAuthorizationEnvironmentUsername) and "password" (kAuthorizationEnvironmentPassword). Then set result as kAuthorizationResultAllow. You would also need to place your plugin just before loginwindow:login.

User registration in Grails

I've installed Spring Security Core and Spring Security UI plugins in my project with hope to get something like this: User Management.
But on every action I get the first picture on this link (Member sign in) and I can't do anything else (Register as new user or Log in...).
I'm new in this so if anybody can explain me what to do and how to set it to work properly...
Thanks :)
That is probably because that you have wrong order in your static URL rules or all of the rules are defined for IS_AUTHENTICATED_FULLY users. Check your config.groovy and see if there exists any rules for anonymous users or IS_AUTHENTICATED_REMEMBERED . If you have rules including IS_AUTHENTICATED_FULLY then you should change them. See this blog post for details.

Grails - access only for object's owner

I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.

In CakePHP 1.3 is there any advantage of using $this->Controller->Session over $this->Session in a component?

I'm using a modified version of Felix Geisendörfer's SimpleAuth/SimpleAcl components that I've combined into a single Component, Simple_Authable.
I changed his startup() function to initialize() to not clutter the beforeFilter function in my app_controller.
One of the things that this component does is check who the active user is and if that user can't be found it either looks him up based on the primary User.id or uses 'guest'. Either way, the component uses $this->Controller->Session->write() to save the active user or guest information.
I'm also using Felix's Authsome plugin instead of the default CakePHP Auth component.
When I'm logging in, the active user is guest, obviously.
After I've submitted the form, the active user is still guest because the component's initialize() function is firing before everything else. Then, the Authsome plugin comes into play and validates my user as "root" and also calls $this->SimpleAuthable->setActiveUser($id, true); to force SimpleAuthable to update the active user information it is storing via $this->Controller->Session; Then I am redirected and my simple Session information and DebugKit's Session tab reflect that I am indeed the root user.
However, when I try to navigate to an 'admin' page, let's say /admin/users/index, lo and behold SimpleAuthable thinks I'm still a 'guest' user because when it performs a $this->Controller->Session->read() call to the key holding my user id, it is getting an empty response, i.e., the data stored on the previous page didn't persist.
Maybe there is something funky happening between Authsome & SimpleAuthable, but things look pretty straightforward and to my mind, $this->Controller->Session should be saving and persisting the data written to it.
So, I'm looking at refactoring all the calls to $this->Controller->Session and replacing them with $this->Session but first I wanted to throw this out to the community and see if anybody has seen anything similar and if so how did they resolve it.
Sincerely,
Christopher.
I found the problem... I'm also using Joshua McNeese's Permissionable plugin and I needed to disable it for the $this->Controller->{$this->userModel}->findById($id); in my SimpleAuthable component when I try to lookup the current active user.
Note to self: I would have caught this faster if I had some unit testing in place :(.

Resources