I have a Grails application running that uses an external CAS login method and uses a local user list for authorization. I am using the spring-security and spring-security-cas plugins and everything is working great.
I am now implementing a RESTful API under a sub-domain of the application (/api) and want to provide security for that as well. I have read that setting up HTTP basic AuthN is easy with Grails, but have found nothing on using 2 security paradigms within one application. Aside from separating the API to a separate application, is there a way to implement a separate authentication method for just the /api sub-domain on my application?
Any feedback would be greatly appreciated. Thanks!
I found no simple way to accomplish this, so I ended up using IP-based access control for the API (since only a few people will be using it). I did this by editing the web.xml file in my grails app and adding a Remote Address Filter:
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>**IP ADDRESSES HERE**</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
I also had to disable CAS authentication for the api, which I accomplished by adding permissions in the interceptUrlMap in Config.groovy:
'/api/**': ['IS_AUTHENTICATED_REMEMBERED', 'IS_AUTHENTICATED_ANONYMOUSLY']
Related
This is the most bizarre tomcat configuration problem I've ever seen. I have the following entry in web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<hstsEnabled>true</hstsEnabled>
<hstsMaxAgeSeconds>631</hstsMaxAgeSeconds>
<hstsIncludeSubDomains>true</hstsIncludeSubDomains>
<hstsPreload>true</hstsPreload>
</filter>
I intentionally put in a weird value for max-age so that it would be easy to see if the configuration is active or not.
And it's activated:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
But it doesn't do what it should do. The resulting headers are always:
strict-transport-security: max-age=0
which is almost exactly what I don't want.
Any ideas on this? I can't even understand how this could be happening and it certainly goes against all the documentation. This is all with Tomcat 9.0.29, JDK 13. It seems like it should "just work" and seems like a very simple configuration.
To be clear, this is in the Tomcat web.xml (in $CATALINA/conf/web.xml), not in an application-specific web.xml. HSTS preload is for the entire domain (including subdomains which might be on other servers), not for any set of URIs within the domain, so it only makes sense to set preload in the server-wide web.xml.
EDIT: This is with a Spring Boot application. It seems that Spring Boot might be controlling this header and overriding whatever is being set in web.xml. This is unfortunate because Spring Boot is for a specific application in a specific context, whereas this header really applies to the entire domain, or even to sub-domains, and so is beyond any specific web application in a specific context. I think I need to figure out how to get Spring Boot to do nothing to HSTS headers and let Tomcat handle it all.
I'm working with ZK and spring.
I downloaded 2 different project that now I try to merge. My problem is in this part of code:
<html:form action="j_spring_security_check" method="POST" xmlns:html="native">
that is in the file login.zul. I found these lines in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I saw that if I change /* with /login.zul it happened that in my url becomes: localhost:8080/myProject/j_spring_security_check and I saw error 404.
If I didn't change my url is localhost:8080/myProject/ and the page index.zul works correctely.
But index.zul is in the same folder as login.zul.
I saw the same error also if I set /index.zul in state of "/*".
How can I decide another url in stead of /*?
Thanks!
The above URL pattern /* declares that you want to protect all your pages. It has nothing to with the fact, which page do you want to load after the successfull login.
The title is also missleading, j_spring_security_check is just the default URL for Spring Security login form submission: SpringSec will start his authentication module (that is username/password checking) when a request to this URL comes. You do not want to change it. You may change it if you for example do not want to tell the world that you uses Spring Security, or you do not want to change your existing login form that uses an other action attribute.
You may have a configuration XML for Spring Security like spring-security.xml or an equivalent Java based configuration) - with a tag in it. You need to set the default-target-url attribute of that tag as
<form-login login-page="/some_dir/login.zul" default-target-url="/some_other_dir/panel.zul"
You should use relative URLs inside your webapp.
You may have an authentication-success-handler-ref instead of default-target-urlin a more complicated situation, but you should not mix them .
I was able to use facebook api with Spring Social for a few days (3 months or more), but now the exception "org.springframework.social.ExpiredAuthorizationException: The authorization has expired" is occurring.
So I investigated this issue was resolved since the spring social version 1.1.0.M3 through a filter of reconnection but even following the recommendations I have not been able to update the token.
How can you recover from this exception?
After much analyzing the code I ended up solving making a direct modifying of the code to change the way ExpiredAuthorizationException exception is thrown by OAuth2Connection class in spring social core and through special filter (ReconnectFilter) of the spring social core (included since version 1.1.0.M3).
To do this, set the bean of the reconnection filter in the social configuration.
#Bean
public ReconnectFilter apiExceptionHandler() {
return new ReconnectFilter(usersConnectionRepository, userIdSource()) ;
}
do not forget to also set the filter in your web.xml
<filter>
<filter-name>apiExceptionHandler</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>apiExceptionHandler</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The last thing needed is to modify in org.springframework.social.connect.support.OAuth2Connection class of module spring-social-core the throwing of ExpiredAuthorizationException exception of ExpiredAuthorizationException(null) to throw new to ExpiredAuthorizationException(getKey().getProviderId())
After that the filter removes the old facebook connection and creates a new one through a POST in /connect/facebook?reconnect=true of the ConnectController.
The version 1.1.0.M4 social spring was used.
We (my team) are currently developing a POC; to build a front-end with GWT but uses Spring for the back-end.
So far, we have not encountered any significant problems integrating the two.
However, when we decided to use Spring Security 3.2 (just recently released), we encountered some issues with the security headers.
After some research, we discovered that it has to do with click jacking prevention (the X-Frame-Options).
Our approach is as follows.
The login page is not part of GWT but simple page (e.g., login.jsp).
Once authentication is successful, it should change to the GWT start page.
However, with the default security headers, once an authentication succeeds, only a blank page is shown.
For now, we simply disabled the security headers as follows (using Spring Java Configuration).
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.headers().disable();
}
With the security headers disabled, the GWT page shows up correctly.
We would prefer keep the security headers enabled.
Any help would be greatly appreciated.
Updated: In the web.xml file, we use the following.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
As described here: http://wikis.sun.com/display/Jersey/WADL
I'm using Jersey 1.4 in Tomcat 6.
I have tried every possible URI with a "/application.wadl" and all I get is a 404 (not available). I'm obviously not understanding something, but every blog I read makes it sound like this is "out of the box" functionality. I'm using Tomcat 6..should this matter?
I was able to use Pavel's example on using the WadlResource object here, but it seems I shouldn't need to do this: http://markmail.org/message/lbeaw5vyr4qergdd#query:+page:1+mid:fo4dt7tbd6rb3gvi+state:results
thanks.
I think that ChrisO most likely has the answer in that your wadl would be available at http://localhost:{port}/{warname}/application.wadl
I had the same problem, and found out that default application.wadl was only working when configured at the root of the app
My conf included several url patterns like the following
<filter-mapping>
<filter-name>jersey-spring</filter-name>
<url-pattern>/admin/rest/*</url-pattern>
</filter-mapping>
And I had to add this to make it work :
<filter-mapping>
<filter-name>jersey-spring</filter-name>
<url-pattern>/application.wadl</url-pattern>
</filter-mapping>
Hope it helps
If you are using Jersey, the WADL will be given automatically when you suffix the application.wadl to your url.
Here all the /rest/ is the <url-pattern> for the <servlet-mapping>
http: // yourmacine:8080 / RESTfulExample/rest/application.wadl
You need to specify the display-name and url-pattern of the sevlet mapping(if any) before application.wadl