Open saqib-ahmed opened 7 years ago
I got a workaround fix. springSecurityService
is still returning null. I manually decoded the API token from the header and extracted username from it. This resolves my problem for now because I only needed the username. It is still incomprehensible that why the plugin is behaving this way. I'm not closing the issue yet.
def extractUsername(def token){
Base64 coder = new Base64()
def tok = token - "Bearer "
def principal = tok.tokenize(".")
def dec = coder.decode(principal[1])
def sub = new String(dec)
def user = sub.tokenize(",")
def username=user[1].tokenize(":")
username = username[1]-"\""
return username-"\""
}
I will check the issue @saqibahmed515 but I did not have the time yet.
I'm having same issue. Only when I create the war for tomcat 8.5
def user = springSecurityService.currentUser if(!user){ log.error "user not found." }
@barcelona23 do you have a sample project ?
@sdelamo Kindly have a look at following project: https://github.com/saqibahmed515/demoSpringSecurityIssue
application.yml
. I'm using mysql with DB name demo
.grails war
or ./gradlew assemble
*.war
file in the ..../tomcat/webapps/
.localhost:8080/{appName}/user/index
. Credentials are admin:admin.springSecurityService
has perfect value in the interceptor but springSecurityService.currentUser
is null.
Getting current user here: https://github.com/saqibahmed515/demoSpringSecurityIssue/blob/master/grails-app/controllers/com/demo/issue/UserInterceptor.groovy#L16I'm getting following response when the application is deployed in above mentioned environment:
I have a similar problem. In my scenario i create a user that authenticates via external oauth 2 server and automatically login using springsecurity.reauthenticate. On jetbrains Idea that works but when deployed on tomcat, user has to logout first and login again to load user roles. When i list roles using ${currentUser?.authorities} it shows all the roles but on tomcat debug log, it says Authorities: ROLE_NO_ROLES. User first have to logout and login again.
Task List
Preamble
I'm designing an API gateway for a grails microservice federation. This issue seems related to a bunch of issues already filed. The closest issue is #482 (not exactly same). But I'm still unable to get around despite trying various suggestions. This question also gives a close problem but not the same.
Versions and Configurations
Grails: 3.2.2
Tomcat: 8.5
Application Name: umm
I'm using following plugin versions:
Security configuration is as follows:
I'm using spring security rest plugin for only token authentication. I'm doing the authorization part myself by returning
ROLE_NO_ROLES
for all the users in getAuthorities().I intercept all the requests and authorize the access based on my own authorization schema stored in DB.
before()
method of my interceptor looks like following:Problem:
With these configurations and strategy, my code works as desired when I run it on my local system. When I deploy it on a server as a war file in tomcat, it works fine for all the requests to the gateway, i.e., for all requests of the pattern
/umm/controller/action
. Spring security context is there and the user is evaluated perfectly. When I try to call other microservices by redirection with requests of the form/umm/microservice/controller/action
,springSecurityService.getCurrentUser()
andspringSecurityService?.principal?.username
start to return null. Although my token gets evaluated perfectly, yet I'm not getting any security context.Following is the output for a failure case:
and the obvious response:
The whole project is available here if anyone wants to reproduce the issue on his machine. You can also open a pull request if the code is buggy. 📦
~## How to reproduce~
grails war
in the cloned directory.~ *~ Deploy the war file in any tomcat. (Tested in tomcat 8 and 7)~grails run-app
even the URLs that are not part of UMM API.~Look here: https://github.com/grails-plugins/grails-spring-security-core/issues/490#issuecomment-355517329 for reproducing the issue.
Update: May 19, 2017
I tried deploying my war in a Tomcat on my local machine. It still behaves the same. I also tried disabling tomcat cache and setting
Nothing seems to work so far.
SecurityContextHolder
is returningnull
anyway. All the user retrieving functions ofSpringSecurityService
viz.getCurrentUser()
,getPrincipal()
,getAuthentication()
andloadCurrentUser()
return null.Update: May 23, 2017
To narrow down the problem, I executed the standalone war using
Now for any non-umm request, I get a
404, page not found
. ~I think the problem is with the production environment~. The app works completely fine in the development.To rule out the problem with the production environment, I created the war using
grails dev war
but to no avail. Nothing works so far for thewar
.Regards