Using Spring Security in Grails to restrict content access - spring

Let me start off again again by saying that I am still new to Grails and Spring Security. I have been doing my best to sift through the documentation and examples and samples. It all has made me a bit confused or overwhelmed.
I am trying to use Spring to manage user access to information. I have a site framed. I want the admin to be able to add people, locations connected to the people and images of the locations. The picture is connected to the person. I want the people that log-in to be able to see their pictures, only.
Is it better or best practice to do this with sec tags or #Secure annotations or a combination? Which is the most secure? I have restricted access using sec:tags. Is there a sec:tag I can use to select the pictures to be displayed?

I think you can look at this in a simpler way. There are basically 3 ways to manage security with the basic plugin install.
#Secured - This allows you to lock down access to an entire Controller and / or individual actions. Think of this as locking down a URL to a specific set of roles. Changes to this level of security will require a redeploy.
Request Map - You get the same benefit as #Secured with the added bonus of being able to modify Controller / action security in a running environment vs having to do a redeploy.
sec tags - These allow you to lock down the rendering of views. For example, to allow an edit button to show up for one role while hiding it for another role. The sec tags are used in combination with the above methods.
That's really basically it. None of the above are more or less secure than the other. What some people seem to confuse is the concept of "my data" and how Spring Security handles that. If, in a Controller, you want a user to be able to access only their "pictures", you should just query for "pictures" based on the authenticated user.
def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
def pictures = Picture.findAllByUser(authenticatedUser)
The view then only cares about what pictures you sent to it. Each logged in user will then only see their pictures. If the admin is logged in, and needs to see ALL the pictures, you might do something like this:
def authenticatedUser = User.findByUsername(springSecurityService.principal.username)
if (SpringSecurityUtils.ifAllGranted("ROLE_ADMIN")) {
def pictures = Pictures.list()
}
However, I'd probably just have a separate Controller for administrative purposes versus trying to do too much logic in one Controller. Or, move the logic to a Service.
Hope this helps.

Related

Springboot application Controllers Designing

i am kind of new with programming, i need help with designig the RestControllers.
I am trying to design a website Using spring boot, the site supposed to have Guests, Users(registerd), Admin, SuperAdmin.
would it be true to use the GuestController as the main one, and let all of the other controllers such as Admin,User,Superadmins extend the GuestController?
Thanks
a more suitable design is to provide a Controller per section (ie Home, News, Search, Admin): each controller is responsible for a section of the web site.
The various user profiles are then used within the controller if you need to differentiate what users can see and do.
There is less code duplication: there is one screen (Search) with one Controller (SearchController) which serves different user profiles. Adding a user profile is straight-forward and does not involve changing the Search code (maybe only adding some extra security in the backend if the new profile can see less or more than the others).
You could use inheritance to define the User Profile: a Guest user is the base profile, but others (Admin) extend it to provide different behaviour.
Hope it helps.

Is there a Joomla (3.x) development API for creating and managing custom user groups?

I just started with Joomla 3.x and I'm writing a component for Joomla v3 which is supposed to create new usergroups for creating 'groups'- the design requirements being:
An organisation may set up a group to offer access to some set of services -including communication but also also other types of services - to their members
(the other services is the reason why I believe the community and forum joomla extensions are not suitable- they mostly focus at fora and social media services, not the services I will implement.)
Other persons/members of the organisation may register to this group, which allow him/her to access these services
ps: it is also possible for person to set up a personal account and get access to the set of services. This person may also join one or more groups at a later stage
How to do code the creating of new usergroups? I noticed a possible suggested solution at How to create custom User Group Programmatically in Joomla 3.x, but I struggle to understand how to use the suggested JTableUsergroup class because of the limited documentation at http://docs.joomla.org/API17:JTableUsergroup(?) Does creating an instance of JTableUsergroup results in the creation of a new customer user group?
Another question: how to add users to a customer usergroup? The only hint I found was at http://api.joomla.org/cms-3/classes/JUserHelper.html - using the method addUserToGroup of class JUserHelper.
Many of the Joomla development concepts are well document but I could not find one for managing custom user groups...
Appreciate your help;-)
First, overall, the best consistent documentation of Joomla APIs is in the docblocks for the classes. Then to be honest what I do a lot of times is to search for where in the core the API is used. There are some great pieces of narrative documentation in the wiki, but on the whole I always start with the docblocks which are very complete. However in this case it's pretty simple.
You need to do something along the lines of
$newrow = JTable::getInstance('Usergroup');
//code to add your data
$newtable->save(); // Shortcut for check, bind, store
However, if I were you I would look carefully at UsersModelGroup because there are a lot of other things that should normally happen in this process such as running the user plugins. So I might include and extend that model (which manages the table class) rather than going to the table class directly. In fact your whole component might even be able to extend almost all of the users component or it might also be possible that you could do what you want with plugins rather than reinventing the whole thing.
In terms of assigning users to groups that is trickier because of some legacy things in the code. I think the setter followed by a $user->save() ($user being a JUser instance) is probably the way to go when adding to groups. What I probably would do is to write a custom JFormField that would manage opt-in groups because the core usergroup field includes everything. You could extend that and exclude the groups that you want to have only managed by admin.

Spring MVC - Spring Security : How to have two different "types" of users, to which I will display different content in the jsp pages

I would like to have two types of users, let's say Teacher and Student.
A lot of the content of the app will be shown to both types of users, but "Teacher" users will see some stuff that "Student" users won't be able to see.
The approach I was thinking to take was to have a ROLE_Teacher and a ROLE_Student instead of a ROLE_User, but I am not sure that would be the best practice, plus, I would have to modify every JSP to make the tests when I want to display specific content.
Did someone try to solve the same kind of problem before? Does Spring contains some mechanism to accomplish this already?
I think defining different roles is pretty much the standard way to solve the problem. Spring Security provides support to constrain the content generated by JSPs based on the roles of the currently authenticated user. (The related documentation: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/taglibs.html) And, of course you will have to modify every JSP to serve only the content which is appropriate to the user's role. I don't think there is some kind of magic that would do that job for you. :)

Possible to use one codebase for a subdomain for multiple sites?

I don't even know if this is even possible, but I thought I'd ask.
I am creating a small CRUD application but I have multiple sites. Each site would use the CRUD. The application would have common CRUD methods and style, but each individual site would apply different forms. I want to avoid creating multiple CRUD applications that varied only in specific content (just different forms).
I want to have something like this:
mycrud.website1.com
mycrud.website2.com
mycrud.website3.com
I can create a subdomain for each individual site no problem. But is it feasible to point all the subdomains to one MVC application directory? And if it is possible any suggestions for how I might go about restricting users from website1 from seeing website2 or website3 content? Is that something "roles" could take care of (after authenticating user)?
Thanks.
There are a lot of websites that do this, not just with MVC. Some content farms point *.mydomain.com to a single IP and have a wild card mapping in IIS.
From there, your application should look at the URL to determine what it should be doing. Some CMS systems operate in this manner, using the domain as a key to deciding what pages to load.
I've built a private labelable SAS application (Software as a Service) that allows us to host all of our clients in a single application. Some clients have customizations to pages or features. We are able to handle that by creating custom plugins for each client that over-ride the Controllers or Views when needed.
All clients share a common code base and aside from each clients custom theme/template they are the same. Only when a client had us customize one feature did we need to build out their plugin DLL. Now, this is advanced stuff so it would require heavy modifications to your code base but in the end if it's what your application needs it is 100% possible.
First - the easy part is having one web site for all three domains. You can do that simply with DNS entries. No problem. All three domains should point at the same ip.
As far as the content, you could do that in a number of ways. I think your idea of roles is pretty solid. It also leaves open the possible of a given user seeing content from both site1 and site2, if that would ever be necessary.
If you don't want to force users to authenticate, you should look at other options. You could wrap your CRUD logic and data access logic into separate libraries and use them across three different sites in IIS. You could have one site and display content based on the request URL. There's probably a lot of other options too.

CakePHP View Sharing w/ ACL (so no need for duplicate view files)

Basically all I want to do is, instead of creating 2 unique views for the admin and user interface, I only want to display the CRUD controls next to the items when the admin IS logged in.
Now the way I am currently doing it is checking the Auth session status and echoing out the controller links IF the Auth session has be activated..
But I wanted to know if there are any other (maybe better) approaches anyone might like to suggest.
I understood your question perfectly.
There are, as you realise, several approaches to this all with their pros and cons.
If you want to show the disabled controls, then you'll need to do something like what you already have.
I think I'd be more inclined to separate the views. This approach will allow you to style the view profile and edit profile views individually, perhaps better reflecting public and admin styles. You'll still need to check the Auth, of course.

Resources