Support for Grails 3.3.x

[irstevenson]

Could you please add support for Grails 3.3.x?

I note there are at least two forks out there which have made some progress:

1. https://github.com/jregistr/grails-spring-security-saml/tree/3.3.0 (however, I couldn't get ./gradlew check to work); and
2. https://github.com/baroleg/grails-spring-security-saml/tree/master (this one seems to have stripped all the tests).

But I'm starting a new project which has a requirement for SAML, so would love to use your plugin rather than manually wiring the SAML extension in.

Happy to help, but not even sure what IdP you're running your tests against etc. More so, there's nothing in your README.md to guide anyone wanting to work on this code. But if you provide that...

I've provided a repository with a grails 3.3.3 project (based on your saml-plugin-test project) showing things not working: https://github.com/irstevenson/grails-spring-security-saml-test

[valentingoebel]

I'm working on this. Most of the work was done in January but didn't have time to submit a pullrequest.

The WIP is in this branch:

https://github.com/valentingoebel/grails-spring-security-saml/tree/mainlining

grails install and grails run-app should work again without crashing.

That's not all of course. There are still some other changes I haven't tested and uploaded to github. Also I didn't put much effort into the commit messages. I will clean them up later.

[irstevenson]

Excellent, that's exciting to hear @valentingoebel ! Great work!!

[valentingoebel]

Please follow these instructions:

git clone https://github.com/valentingoebel/grails-spring-security-saml
mv grails-spring-security-saml spring-security-saml
cd spring-security-saml
grails install

git clone https://github.com/valentingoebel/grails-spring-security-saml-test
grails run-app

You should see this Message (it will disappear if you correctly configure your metadata):

org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity http://test.com and role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn't found

If you see this Message then everything is working as expected.

[irstevenson]

Heya @valentingoebel ,

Went to give it a go but stumbled, so a couple of things to make it easier:

1. Could you please add the grails wrapper into the repo?
2. Could you please add the gradle wrapper JAR back into the repo? (i.e. gradle/wrapper/gradle-wrapper.jar)

Also, I see in build.gradle it's only using spring-security-core:3.2.0.M1, could be good to use the current spring-security-core:3.2.1.

I'll go and install the matching grails versions etc. and see how I go.

[irstevenson]

Alright, looking good. My steps (slightly different):

First, I note that in the gradle.properties for the plugin we're building with grails 3.3.0 so:

$ sdk use grails 3.3.0

Using grails version 3.3.0 in this shell.

I clone into the specified directory, and happily install:

$ git clone https://github.com/valentingoebel/grails-spring-security-saml spring-security-saml
$ cd spring-security-saml/
$ grails install

Noting the test project includes a wrapper, I use that instead:

$ cd ..
$ git clone https://github.com/valentingoebel/grails-spring-security-saml-test
$ cd grails-spring-security-saml-test/
$ ./grailsw run-app

Accessing http://localhost:8080 I receive the expected error you noted.

I only just noted that your fork for the test-app is off of mine, and noted that I must've forgotten to include the security folder. So will go and play with metadata and see if I can get these two (SP and IDP) talking with the plugin.

Looks promising!! Thanks!!

P.S. Be interested to know which IDP you're testing against. (I'm using a bare bones Shibboleth IDP in a vagrant box.)

[irstevenson]

Okay, after navigating the configuration - using my previous setup with Spring Security SAML2 Sample app for guidance I've almost got there. However, with the authentication flow almost done (i.e. my IDP has redirected back to the SP/app) the plugin now fails with this (odd) exception:

2018-03-13 16:31:05.967 ERROR --- [nio-8080-exec-3] .a.c.c.C.[.[.[.[grailsDispatcherServlet] : Servlet.service() for servlet [grailsDispatcherServlet] in context with path [] threw exception

groovy.lang.MissingPropertyException: No such property: log for class: org.grails.plugin.springsecurity.saml.SpringSamlUserDetailsService
        at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:66)
        at org.codehaus.groovy.runtime.callsite.GetEffectivePogoPropertySite.getProperty(GetEffectivePogoPropertySite.java:87)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGroovyObjectGetProperty(AbstractCallSite.java:310)
        at org.grails.plugin.springsecurity.saml.SpringSamlUserDetailsService.$tt__loadUserBySAML(SpringSamlUserDetailsService.groovy:57)

Odd, as the service should have the log property injected. Where's it gone...

UPDATE: See https://github.com/grails/grails-core/issues/10683

[irstevenson]

Alright, I've successfully authenticated. Hurrah!!

However, to address that log error I had to do the following in SpringSamlUserDetailsService.groovy:

@@ -38,6 +38,7 @@ import grails.core.GrailsApplication
  * @author alvaro.sanchez
  */
 @Transactional
+@Slf4j('logger')
 class SpringSamlUserDetailsService extends GormUserDetailsService implements SAMLUserDetailsService {

     String authorityClassName

And then for each log. line I changed it to logger. such as:

@@ -54,19 +55,19 @@ class SpringSamlUserDetailsService extends GormUserDetailsService implements SAM

     public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
-        log.debug("Loading user - ${credential.toString()}")
+        logger.debug("Loading user - ${credential.toString()}")
         if (credential) {
             String username = getSamlUsername(credential)
-            log.debug("Username ${username}")
+            logger.debug("Username ${username}")
             if (!username) {
                 throw new UsernameNotFoundException("No username supplied in saml response.")
             }

             def user = generateSecurityUser(username)
-            log.debug("Generated User ${user.username}")
+            logger.debug("Generated User ${user.username}")
             user = mapAdditionalAttributes(credential, user)
             if (user) {
-                log.debug "Loading database roles for $username..."
+                logger.debug "Loading database roles for $username..."
                 def authorities = getAuthoritiesForUser(credential, username)

                 def grantedAuthorities = []

etc.

But once that's all done, the plugin seems to work again.

I did try using Grails Spring Security Core 3.2.1 (latest) which just made the error more explicit. I also tried using Grails 3.3.3 rather than 3.3.0 to build the plugin, but that had no effect.

In the end, the above worked with build.gradle as is, and using Grails 3.3.0.

[jeffwils]

I have invited you both to be collaborators on this project. I could use the assistance if you both have the time as I am currently overloaded with other things

[irstevenson]

Heya @jeffwils ,

Thanks, happy to help as I can.

[valentingoebel]

The PR https://github.com/jeffwils/grails-spring-security-saml/pull/13 has been merged. I will close this issue.