search

grails / grails-spring-security-rest

Grails plugin to implement token-based, RESTful authentication using Spring Security
http://alvarosanchez.github.io/grails-spring-security-rest/
Other
203 stars 117 forks source link

memcached enabled but not being used #36

Closed tedder closed 10 years ago

tedder commented 10 years ago

TLDR version: memcached connects but never gets written to.

I'm running 1.3.0.RC3.

I'm using the following relevant configuration:

    debug  'com.odobo',
            'grails.app.controllers.com.odobo',
            'grails.app.services.com.odobo',
            'com.odobo',
            'org.pac4j',
            'org.springframework.security',
             'com.odobo.grails.plugin.springsecurity.rest.token.storage.MemcachedTokenStorageService',
            'net.spy.memcached'

grails.plugin.springsecurity.rest.token.storage.useMemcached = true
grails.plugin.springsecurity.rest.login.usernameParameter = "j_username"
grails.plugin.springsecurity.rest.login.passwordParameter = "j_password"

I can see the memcached connection being opened on startup- here's a snippet:

2014-02-19 19:47:23,331 [localhost-startStop-1] INFO  memcached.MemcachedConnection  - Added {QA sa=localhost/127.0.0.1:11211, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=0} to connect queue
...
2014-02-19 19:47:26,368 [Memcached IO over {MemcachedConnection to localhost/127.0.0.1:11211}] INFO  memcached.MemcachedConnection  - Connection state changed for sun.nio.ch.SelectionKeyImpl@7a838285
2014-02-19 19:47:26,385 [Memcached IO over {MemcachedConnection to localhost/127.0.0.1:11211}] DEBUG binary.BinaryMemcachedNodeImpl  - Setting interested opts to 0
2014-02-19 19:47:26,398 [Memcached IO over {MemcachedConnection to localhost/127.0.0.1:11211}] DEBUG memcached.MemcachedConnection  - Selecting with delay of 0ms

Since I'm running memcached on my dev box with -vvvv, I can see the connection being created too:

<30 new auto-negotiating client connection

Here's the filter chain that is created on startup:

2014-02-19 19:48:52,991 [localhost-startStop-1] INFO  web.DefaultSecurityFilterChain  - Creating filter chain: Ant [pattern='/**'], [org.springframework.security.web.context.SecurityContextPersistenceFilter@d47b54f, com.odobo.grails.plugin.springsecurity.rest.RestLogoutFilter@5ed05c58, grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter@415ec609, grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter@351b9a66, com.odobo.grails.plugin.springsecurity.rest.RestAuthenticationFilter@2735b9c7, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3837cbed, grails.plugin.springsecurity.web.filter.GrailsRememberMeAuthenticationFilter@572d5170, grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter@603dbcc6, com.odobo.grails.plugin.springsecurity.rest.RestTokenValidationFilter@75349c86, org.springframework.security.web.access.ExceptionTranslationFilter@51105d87, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@96c73a5]

Finally, login is successful but does NOT contact memcached in any way.

2014-02-19 20:33:41,163 [http-bio-8080-exec-3] DEBUG web.FilterChainProxy  - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-02-19 20:33:41,163 [http-bio-8080-exec-3] DEBUG context.HttpSessionSecurityContextRepository  - No HttpSession currently exists
2014-02-19 20:33:41,163 [http-bio-8080-exec-3] DEBUG context.HttpSessionSecurityContextRepository  - No SecurityContext was available from the HttpSession: null. A new one will be created.
2014-02-19 20:33:41,163 [http-bio-8080-exec-3] DEBUG web.FilterChainProxy  - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'RestLogoutFilter'
2014-02-19 20:33:41,174 [http-bio-8080-exec-3] DEBUG rest.RestLogoutFilter  - Actual URI is /j_spring_security_check; endpoint URL is /api/logout
2014-02-19 20:33:41,178 [http-bio-8080-exec-3] DEBUG web.FilterChainProxy  - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2014-02-19 20:33:41,178 [http-bio-8080-exec-3] DEBUG web.FilterChainProxy  - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2014-02-19 20:33:41,805 [http-bio-8080-exec-3] DEBUG authentication.ProviderManager  - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2014-02-19 20:33:49,957 [http-bio-8080-exec-3] DEBUG hierarchicalroles.RoleHierarchyImpl  - getReachableGrantedAuthorities() - From the roles [ROLE_USER] one can reach [ROLE_USER] in zero or more steps.
2014-02-19 20:33:49,986 [http-bio-8080-exec-3] DEBUG rememberme.TokenBasedRememberMeServices  - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
2014-02-19 20:33:49,989 [http-bio-8080-exec-3] DEBUG rememberme.TokenBasedRememberMeServices  - Remember-me login not requested.
2014-02-19 20:33:50,113 [http-bio-8080-exec-3] DEBUG web.DefaultRedirectStrategy  - Redirecting to '/app/organizations'
2014-02-19 20:33:50,114 [http-bio-8080-exec-3] DEBUG context.HttpSessionSecurityContextRepository  - HttpSession being created as SecurityContext is non-default
2014-02-19 20:33:50,199 [http-bio-8080-exec-3] DEBUG context.HttpSessionSecurityContextRepository  - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@caf4192c: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@caf4192c: Principal: com.app.AppUserDetails@8ee96c84: Username: someuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 10.0.2.2; SessionId: null; Granted Authorities: ROLE_USER'
alvarosanchez commented 10 years ago

@tedder I believe your approach with this plugin is completely wrong. Have you read this documentation? Specially the diagram, and its explanation.

First of all, this is a REST plugin. So the client must be a REST client. And a browser is not a REST client.

Secondly, if you want to use this plugin authentication endpoint, you need to read its documentation. Basically, you need to send a POST request to /api/login, and you will receive a JSON response containing an authentication token.

Finally, you must send that token as an HTTP header to your REST endpoints, and this plugin will take care of retrieving the token and finding the user details on Memcached.

j_spring_security_check is plain old Spring Security Core. It's not RESTful, but rather the contrary. It's stateful, HTTP session-based, and has nothing to do with the goals of this plugin.

So first of all, reconsider what are you doing and what are your needs, because my impression (and please correct me if I'm wrong) is that you don't need this plugin.

Please, read carefully the documentation. I made a huge effort writing it, and it should explain this basic concepts. And if not, please let me know, I'm more than happy to improve it if necessary.

Hope this helps. Alvaro.