Open RogelioCodes opened 1 year ago
RogelioCodes
commented
1 year ago For example. I ran into this same issue https://github.com/jeffwils/grails-spring-security-saml/issues/1
Even after configuring the right roles and modifying the necessary files, I still get the same issue. Nobody ever provided a follow up so I cant even tell if the solution ended up working.
valentingoebel
commented
1 year ago I don't know what your error is.
If you refer to
Caused by: grails.plugins.exceptions.PluginException: Failed to initialize class [test.TestRole] from plugin [springSecuritySaml] : org/grails/datastore/gorm/GormEntity$Trait$FieldHelperIt means the class test.TestRole is missing because the example files were removed in the published jar file.
The version in this repository is 4.0.2. It still works and I am still using it in one application that hasn't been upgraded but it's been such a long time since I've had to configure this plugin from scratch. You can consider it unsupported and you should switch to the one for Grails 5.0.0 because the underlying spring security saml extension has been unsupported since 6 October 2021.
See https://github.com/spring-projects/spring-security-saml
Here is the configuration I am using for 4.0.2:
---
grails:
plugin:
springsecurity:
providerNames: ['samlAuthenticationProvider', 'anonymousAuthenticationProvider', 'daoAuthenticationProvider']
password:
algorithm: 'bcrypt'
userLookup:
userDomainClassName: <package>.User
authorityJoinClassName: <package>.UserRole
authoritiesPropertyName: authorities
authority:
className: <package>.Role
groupAuthorityNameField: authorities
useRoleGroups: true
saml:
active: true
userAttributeMappings:
username: 'urn:oid:<oid>'
userGroupAttribute: 'urn:oid:<oid>'
afterLoginUrl: '/'
afterLogoutUrl: '/'
responseSkew: 60
maxAuthenticationAge: 604800
retrieveDatabaseRoles: false
retrieveDatabaseGroups: true
autoCreate:
active: false
key: 'username'
assignAuthorities: false
useLocalRoles: true
metadata:
defaultIdp: '<IDP_ENTITY_ID>'
providers:
<idp_alias>: 'security/<IDP_METADATA.xml>'
url: '/saml/metadata'
sp:
defaults:
local: true
securityProfile: 'metaiop'
requireArtifactResolveSigned: false
requireLogoutRequestSigned: false
requireLogoutResponseSigned: false
signingKey: 'sso-key'
encryptionKey: 'sso-key'
tlsKey: 'sso-key'
keyManager:
storeFile: classpath:security/sso-keyStore.jks
storePass: ${KEYSTORE_PASS}
passwords:
sso-key: ${KEYSTORE_PASS}
defaultKey: 'sso-key'plus another yml file that overrides the above configuration:
plugin:
greenmail:
ports:
smtp: 8465
disabled: true
springsecurity:
saml:
userLookup:
userDomainClassName: <app-package>.User
userAttributeMappings:
username: 'urn:oid:<oid>'
metadata:
sp:
file: 'security/<SP_METADATA>-qa.xml'
defaults:
entityID: '<SP_ENTITY_ID>'
alias: ''<SP_ENTITY_ID>'
securityProfile: 'metaiop'
signingKey: ''<keystore entry name>'
encryptionKey: '<keystore entry name>'
tlsKey: '<keystore entry name>'
keyManager:
storeFile: 'classpath:security/keystore.jks'
storePass: ${KEYSTORE_PASS}
passwords:
'<keystore entry name>': ${KEYSTORE_PASS}
defaultKey: 'fista-qa'I am still using the same User/Role class from 3 years ago so I don't know if the code generators are producing something unexpected.
valentingoebel
commented
1 year ago By code generator I mean the script for spring security core.
You have to create your own User/Role/UserRole classes yourself and point the plugin at them.
$> grails s2-quickstart com.jeffwils UserAcct Role
See https://grails.github.io/grails-spring-security-core/4.0.x/index.html#s2-quickstart for further details.
This plugin is only a SAML extension for Grails Spring Security Core.
I wanted to update this website but I haven't gotten around it yet: https://jeffwils.github.io/grails-spring-security-saml/
RogelioCodes
commented
1 year ago @valentingoebel Are you suggesting we switch to grails-spring-security-saml 5.0.x? Also our issue is that our login session isnt being saved. So we cannot use tags like ${sec:username()} or ${sec:access()}
RogelioCodes
commented
1 year ago also @valentingoebel , which version of grails would you recommend using for this plugin?
valentingoebel
commented
1 year ago If you want to upgrade here is the new repository:
https://github.com/grails-spring-security-saml/grails-spring-security-saml
This is the latest version:
implementation 'io.github.grails-spring-security-saml:spring-security-saml:5.0.0-RC3'Here is the manual: https://github.com/grails-spring-security-saml/grails-spring-security-saml/blob/main/index.md
The underlying implementation in Spring Security has changed. There are some significant changes:
You specify the IDP Metadata as usual but the SP Metadata is now autogenerated. The cert from your keystore is taken.
There is no "fixed" /saml/SSO etc path anymore except as an optional feature to help with migration, everything has a registrationId now so you could in theory specify an arbitrary quantity of service providers/identity provider pairs if you define your own RelyingPartyRegistrationReposity.
A significant amount of application.yml properties have been removed because they don't have an equivalent.
If your problem is that springSecurityService.authentication is null then it could be that user details service breaks down somewhere. If you want to experiment you can just copy paste this file: https://github.com/jeffwils/grails-spring-security-saml/blob/master/grails-app/services/org/grails/plugin/springsecurity/saml/SpringSamlUserDetailsService.groovy
Into your project at the path grails-app/services/org/grails/plugin/springsecurity/saml/SpringSamlUserDetailsService.groovy
Grails will overwrite the file provided by the plugin. Throw around some println statements or use a debugger and see where it breaks down.
I am trying to get the app running by following the documentation. It is impossible to get this to compile using the basic configuration provided in the documentation. I know we have to modify some of the values, but in general even once you do that there seems to be a ton of issues.
| Grails Version: 4.0.3 | JVM Version: 1.8.0_292