Closed shnatyk closed 10 years ago
Adding
mavenRepo "https://oss.sonatype.org/content/repositories/snapshots"
to BuildConfig (in my app) seems to work although I also see that in the plugin BuildConfig.
It works without specifying anything else if you define:
grails.project.dependency.resolution = {
...
repositories {
inherits true
...
}
}
That's the default setting in a newly created Grails application.
Can you guys please try that?
I actually had the inherits true setting and it didn't work without explicitly adding the sonatype repo.
I also double checked on a newly created test app (on 2.3.5) and I got a lot of spring-security-core-RC2 compilation errors which is surprising since it's not even this plugin
| Installed plugin spring-security-core-2.0-RC2
*******************************************************
* You've installed the Spring Security Core plugin. *
* *
* Next run the "s2-quickstart" script to initialize *
* Spring Security and create your domain classes. *
* *
*******************************************************
| Compiling 10 source files
| Compiling 233 source files.
| Error Compilation error: startup failed:
Compile error during compilation with javac.
/tmp/test/target/work/plugins/spring-security-core-2.0-RC2/src/java/grails/plugin/springsecurity/CryptoEncoderWrapper.java:28: error: package org.springframework.security.crypto.password does not exist
protected final org.springframework.security.crypto.password.PasswordEncoder delegate;
^
/tmp/test/target/work/plugins/spring-security-core-2.0-RC2/src/java/grails/plugin/springsecurity/CryptoEncoderWrapper.java:33: error: package org.springframework.security.crypto.password does not exist
public CryptoEncoderWrapper(org.springframework.security.crypto.password.PasswordEncoder encoder) {
^
/tmp/test/target/work/plugins/spring-security-core-2.0-RC2/src/java/grails/plugin/springsecurity/SpringSecurityUtils.java:46: error: cannot find symbol
import org.springframework.security.core.authority.SimpleGrantedAuthority;
...
Hmm is the Spring Security Core plugin the one who does not compile. I'm further investigating this.
Ok this is working on a new 2.3.5 grails app.
compile ':spring-security-core:2.0-RC2'
compile ":spring-security-rest:1.2.0", {
excludes: 'spring-security-core'
}
I did not have to add the sonatype repo.
I think the published spring-security-core plugin on grailsPlugins is a little behind the github source code.
I reproduced the workaround. You have to define:
compile ":spring-security-core:2.0-RC2"
compile ":spring-security-rest:1.2.0"
No need to define any additional repo.
I will update the docs.
Hey Alvaro,
Could you please try on a clean system ? If I remove ~/.grails and also .m2/repository/org/grails/plugins/spring-security-* then your workaround gives compilation errors:
| Downloading: org/grails/plugins/spring-security-rest/1.2.0/spring-security-rest-1.2.0.zip
| Error Resolve error obtaining dependencies: The following artifacts could not be resolved: org.springframework.security:spring-security-core:jar:3.2.0.RC1, org.springframework.security:spring-security-web:jar:3.2.0.RC1: Could not find artifact org.springframework.security:spring-security-core:jar:3.2.0.RC1 in grailsCentral (http://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)
| Error Resolve error obtaining dependencies: The following artifacts could not be resolved: org.springframework.security:spring-security-core:jar:3.2.0.RC1, org.springframework.security:spring-security-web:jar:3.2.0.RC1: Could not find artifact org.springframework.security:spring-security-core:jar:3.2.0.RC1 in grailsCentral (http://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)
| Error Resolve error obtaining dependencies: The following artifacts could not be resolved: org.springframework.security:spring-security-core:jar:3.2.0.RC1, org.springframework.security:spring-security-web:jar:3.2.0.RC1: Could not find artifact org.springframework.security:spring-security-core:jar:3.2.0.RC1 in grailsCentral (http://repo.grails.org/grails/plugins) (Use --stacktrace to see the full trace)
| Error The following artifacts could not be resolved: org.springframework.security:spring-security-core:jar:3.2.0.RC1, org.springframework.security:spring-security-web:jar:3.2.0.RC1: Could not find artifact org.springframework.security:spring-security-core:jar:3.2.0.RC1 in grailsCentral (http://repo.grails.org/grails/plugins)
I think the reason is that Burt Beckwith hasn't released what's on the grails spring-security-core github repo because if you clone it and then do "grails maven-install" (using grails 2.0.4) then your workaround works great and you don't need to use excludes 'spring-security-core' as what I posted above.
I'm writing a simple test to reproduce the issue on Travis, which is a completely new environment on each execution. Will keep this issue updated.
Thanks for the feedback.
same problem here. When i add the sonatype repository everything works :) https://oss.sonatype.org/content/repositories/snapshots
Ok, after trying almost every single combination, I got it working. Can you guys try this?
mavenRepo 'http://repo.spring.io/milestone'
mavenRepo 'https://oss.sonatype.org/content/repositories/snapshots'
...
compile ':spring-security-core:2.0-RC2'
compile ":spring-security-rest:1.2.2-SNAPSHOT", {
excludes: 'spring-security-core'
}
You may want to remove $HOME/.grails/ivy-cache/org.grails.plugins
and $HOME/.m2/repository/org/grails/plugins
to make sure you start from a clean state.
I believe this is a temporary workaround until Spring Security Core releases 2.0 stable. Meanwhile, I will update the docs to reflect this.
Grax! alvarosanchez everything works fine !!! :)
@alvarosanchez is there any sample app out there with this plugin integrated ?
I already had spring security configured in my app and confused whether my restful controllers should be permitAll (i.e. and instead allow your filters to do the validation) or should I still secure my restful controllers explicitly in Config.properties ?
grails.plugin.springsecurity.interceptUrlMap = [ '/': ['permitAll'], '/index': ['permitAll'], '/index.gsp': ['permitAll'], '//js/': ['permitAll'], '//css/': ['permitAll'], '//images/': ['permitAll'], '/static/': ['permitAll'], '//favicon.ico': ['permitAll'], '/launch/': ['permitAll'], '/login/': ['permitAll'], '/logout/': ['permitAll'], '/signup/': ['permitAll'], '/httpinvoker/': ['permitAll'], '/console/': ['permitAll'], '/menu/': ['ROLE_ADMIN', 'ROLE_HOTEL', 'ROLE_USER'], '/upload/': ['ROLE_ADMIN','ROLE_HOTEL'],
'/test/**': ['permitAll'] //this is my restful controller, i want the token to be checked by the filter so is this correct ?
]
@walshe Here is one added few weeks ago. This uses AngularJS in the front end as client to the underlying webservice. Hope that helps.
thanks @dmahapatro I will take a look.
I guess what I also should have asked above was if I can keep my existing Spring security setup to continue to protected the 'regular' non angular/gsp parts of my app. i.e. currently accessing a protected path through the browser displays the spring login screen. Can I still keep all that and apply this rest plugin just to protected certain restful controllers ?
Yes, correct, you should keep the existing mappings in your app as is. It should be app's responsibility to handle permissions to specific url.
@dmahapatro struggling to get going here
when I try to access my restful url I just get a bunch of html back rather than a json response telling me that im not authenticated:
curl -i -H "Accept: application/json" localhost:8080/myapp/test/bar
HTTP/1.1 403 Forbidden Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 987 Date: Tue, 18 Mar 2014 13:57:24 GMT
type Status report
message Access Denied
description Access to the specified resource has been forbidden.
I am not sure how the implementation is beneath the service. Just make sure you follow this sequence. Go through the docs.
Based on the sequence, you would expect a 401/403 initially in the client side which in turn has to interpret (just look for the status code in the response header, you would not get a JSON back for failed login) and ask user to login. Once user credentials provided, client has to hit /api/login
to get a token and then use the token to call the REST API.
This is exactly where the status code is checked in the sample app.
That 403 is probably coming from Spring Security Core. By default, Spring Security Core 2.x locks down all URL's unless a explicit securiy rule has been specified for each of them.
See http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/single.html#requestMappings for more information.
I think this plugin is too complex for me to integrate at the moment and will try the custom filter approach used by the 'arrested' plugin for now
@alvarosanchez
ok I got it working eventually, but a question:
How can one tell if the response is because: a) user is not logged in or has bad token b) user is logged in but is not authorised to access the protected restful method
both seem to give me 403, is there a way around this ?
thanks
@dmahapatro
ok I got it working eventually, but a question:
How can one tell if the response is because: a) user is not logged in or has bad token b) user is logged in but is not authorised to access the protected restful method
both seem to give me 403, is there a way around this ?
thanks
@alvarosanchez is the idea that role based access to services should be programmed in the client side based on the user roles returned from the initial authorisation ? if this is the case then isnt it possible for a malicious authenticated user to look at the JS and figure out how to send a rest call to a rest service that he shouldnt access?
@walshe Good question. You should also be reading FAQ from the documentation which answers your question. Mainly:
You could argue that someone can access the token in the browser. Yes, but having the token will not allow him to obtain user's credentials. The tokens are just not decodable. And they can be revoked if necessary.
I guess you owe him (@alvarosanchez) a beer now. ;)
@dmahapatro this is not what I mean.
As I said above, if token is incorrect OR user is not logged in then the response is a 403
Now take the following example:
Lets say a user is logged is and tries to access a rest service that they do not have the correct role for, then 403 will be returned. But now I dont know if 403 is because of expired token OR invalid role. If its invalid role then I dont want to send them to login screen as they are already authenticated/logged in.
So Im asking if the correct way to solve this role access issue is by doing the role check on the client side in JS?
I get the same error while installing the plugin with Grails 2.3.7 and the following BuildConfig.groovy directives:
repositories {
mavenRepo('http://repo.spring.io/milestone')
mavenRepo "https://oss.sonatype.org/content/repositories/snapshots"
}
plugins {
compile ':spring-security-core:2.0-RC2'
compile ":spring-security-rest:1.3.2", {
excludes 'spring-security-core'
}
}
Error: Error Resolve error obtaining dependencies: Could not find artifact org.pac4j:pac4j-oauth:jar:1.5.0-SNAPSHOT
Latest version on oss.sonatype.org is 1.5.1-SNAPSHOT and 1.5.0-SNAPSHOT seems to be no longer served.
https://oss.sonatype.org/content/repositories/snapshots/org/pac4j/pac4j-oauth/
@magbeat thanks for the update. I've checked pac4j and they just released 1.5.0 stable. That should resolve this issues.
I will publish a new version with an updated dependency in the following days.
@alvarosanchez great to hear. Thanks for your work!
Just published 1.3.3
.
@alvarosanchez The 1.5.0 is not yet published..Could some one take a look at this?
@ramyakrish85 pac4j 1.5.0 is on Central: http://search.maven.org/#artifactdetails%7Corg.pac4j%7Cpac4j%7C1.5.0%7Cpom
This plugin's version 1.3.3
includes that version.
What issue do you have?
@alvarosanchez thanks for reply..But I still get this error "Resolve error obtaining dependencies: Could not find artifact org.pac4j:pac4j-oauth:jar:1.5.0-SNAPSHOT in grailsCentral (http://repo.grails.org/grails/plugins) " I added mavenRepo 'https://oss.sonatype.org/content/repositories/snapshots'
@ramyakrish85 it's still trying to download pac4j 1.5.0-SNAPSHOT. That doesn't happen with spring-security-rest:1.3.3
.
Can you paste here your complete BuildConfig.groovy
please?
just update the BuildConfig.groovy
compile ":spring-security-rest:1.3.3", { excludes: 'spring-security-core' }
after git clone
oh yea...I was trying with version 1.3.2..Thank you so much for your assistance.!!!!
I've tried all the above suggestions and none of them seem to work for me. I'm using the following
I get the following error: Error | Resolve error obtaining dependencies: Failed to resolve dependencies (Set log level to 'warn' in BuildConfig.groovy for more information):
Any suggestion is greatly appreciated.
Thanks.
After a few tries with that dependency error I was able to get it working with this:
compile ':spring-security-core:2.0-RC2' compile ":spring-security-rest:1.3.3", { excludes 'spring-security-core' }
Thanks for the tip.
I'm having the same issue in Grails 2.4.4 and:
compile ":spring-security-core:2.0-RC5" compile ':spring-security-rest:1.5.2', { excludes: 'spring-security-core' }
I am getting this error:
/Users/username/git-test/grails-spring-security-rest-sample/target/work/plugins/spring-security-rest-1.3.3/grails-app/controllers/com/odobo/grails/plugin/springsecurity/rest/OauthController.groovy: -1: Repetitive method name/signature for method 'java.lang.Object withFormat(groovy.lang.Closure)' in class 'com.odobo.grails.plugin.springsecurity.rest.OauthController'. @ line -1, column -1.
I am having problem with plugin install...
I put "compile..." command in BuildConfig then refresh dependecies and got this message: "| Error Failed to resolve dependencies (Set log level to 'warn' in BuildConfig.groovy for more information): - org.pac4j:pac4j-oauth:1.5.0-SNAPSHOT"