search

krasserm / grails-jaxrs

JAX-RS Plugin for Grails
http://code.google.com/p/grails-jaxrs/
Apache License 2.0
50 stars 48 forks source link

Spring Security and JAX-RS, access denied to api URLs #40

Closed shnatyk closed 8 years ago

shnatyk commented 10 years ago

Hi,

I am beginner with Grails and struggling some problem with combining REST api and Spring Security for my web application (grails version: 2.2.4).

Before creating API I created registration and authentication system and all works fine. About REST, till now I have tried two ways, one according to documentation (http://www.grails.org/doc/2.2.x/guide/webServices.html), second by using JAX-RS plugin. In both ways I go thorugh all needed steps without problems till I try to test if any api's URL works, I always got this message in browser: "Sorry, you are not authorized to view this page", even if I am logged in as the admin (ROLE_ADMIN).

I tried to add some static rule or intercepturlmap to config.groovy file but nothing have helped.

Please help me, give any clues, suggestions, every reply very appreciated!

Seb

dalelotts commented 10 years ago

This is really an issue with how you have spring security configured. See http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/requestMappings.html

davidecavestro commented 10 years ago

Did you try setting spring security filterChain?

This is an excerpt from a raw app of mines. It works well with springsecurity and jaxrs

//spring security configuration
grails.plugins.springsecurity.providerNames = [
    'wsAuthenticationProvider'
    ]
grails.plugins.springsecurity.rejectIfNoRule = false

grails.plugins.springsecurity.controllerAnnotations.staticRules = [

        '/dbUtil/**':        ['ROLE_ADMIN'],
        '/monitoring/**':    ['ROLE_ADMIN'],
        '/monitoring':       ['ROLE_ADMIN'],
        '/adminManage/**':   ['ROLE_ADMIN'],
        '/setting/**':       ['ROLE_ADMIN'],
        '/*':            ['ROLE_USER'],
        '/main/**':      ['ROLE_USER'],
        '/api/**':       ['ROLE_USER'],
        '/jaxrs/**':      ['ROLE_USER'],
        '/gwt/**':       ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/js/**':        ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/css/**':       ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/images/**':    ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/error':        ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/login/**':     ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/logout/**':    ['IS_AUTHENTICATED_ANONYMOUSLY']

    ]

grails.plugins.springsecurity.filterChain.chainMap = [
    '/api/**': 'JOINED_FILTERS,-jaxrsFilter',
    '/**': 'JOINED_FILTERS'
]
shnatyk commented 10 years ago

Hi, thank you very much for suggestons. Sorry for such a late reply, being a bit busy recently.

I have looked into the documentation from the link and tried to find some solutions there, ideas were similar as those one which I found before, still no success.

@davidecavestro tried your piece of code but now when accessing "api" url got this error code: "Error 500: Internal Server Error URI: /MeetMe/api Class: java.lang.IllegalArgumentException Message: Secure object invocation FilterInvocation: URL: /api was denied as public invocations are not allowed via this interceptor. This indicates a configuration error because the rejectPublicInvocations property is set to 'true' ... Around line 53 of GrailsAnonymousAuthenticationFilter.java ... Around line 49 of RequestHolderAuthenticationFilter.java ... Around line 82 of MutableLogoutFilter.java ... Around line 46 of JaxrsFilter.java ..."

It seems like all the time it completely ignores static rules. Maybe I mess too much in spring security plugin configuration when learning it and following some tutorials...

shnatyk commented 10 years ago

I get reply on some other website with information that there is some fresh plugin which may solve the issue.

Here the link: http://grails.org/plugin/spring-security-rest

But I have problem with installation of this plugin... after I put "compile..." command in BuildConfig and then refresh dependecies I got this message: "| Error Failed to resolve dependencies (Set log level to 'warn' in BuildConfig.groovy for more information): - org.pac4j:pac4j-oauth:1.5.0-SNAPSHOT"

Can anyone check if has the same problem?

davidecavestro commented 10 years ago

Sorry, at the moment I have no way to give it a check, but maybe you simply need an additional maven repo such as

https://oss.sonatype.org/content/repositories/snapshots

within the repositories closure of your BuildConfig.groovy, as per https://github.com/leleuj/pac4j#maven-dependencies

2014/1/18 shnatyk notifications@github.com

I get reply on some other website with information that there is some fresh plugin which may solve the issue.

Here the link: http://grails.org/plugin/spring-security-rest

But I have problem with installation of this plugin... after I put "compile..." command in BuildConfig and then refresh dependecies I got this message: "| Error Failed to resolve dependencies (Set log level to 'warn' in BuildConfig.groovy for more information): - org.pac4j:pac4j-oauth:1.5.0-SNAPSHOT"

Can anyone check if has the same problem?

— Reply to this email directly or view it on GitHubhttps://github.com/krasserm/grails-jaxrs/issues/40#issuecomment-32671583 .

davidecavestro commented 10 years ago

Sorry, at the moment I have no way to give it a check, but maybe you simply need some additional maven repo such as

https://oss.sonatype.org/content/repositories/snapshots

within the repositories closure of your BuildConfig.groovy, as per https://github.com/leleuj/pac4j#maven-dependencies

2014/1/18 shnatyk notifications@github.com

I get reply on some other website with information that there is some fresh plugin which may solve the issue.

Here the link: http://grails.org/plugin/spring-security-rest

But I have problem with installation of this plugin... after I put "compile..." command in BuildConfig and then refresh dependecies I got this message: "| Error Failed to resolve dependencies (Set log level to 'warn' in BuildConfig.groovy for more information): - org.pac4j:pac4j-oauth:1.5.0-SNAPSHOT"

Can anyone check if has the same problem?

— Reply to this email directly or view it on GitHubhttps://github.com/krasserm/grails-jaxrs/issues/40#issuecomment-32671583 .

michaelrice commented 10 years ago

@shnatyk You could try this: https://github.com/budjb/grails-jaxrs-security

davidecavestro commented 10 years ago

Did you succeed in using one of the plugins dedicated to security?

shnatyk commented 10 years ago

Unfortunately I didn't.. I dropped it and I did standalone Java REST web service connected to the same database on the server as Grails app.

erickmelo commented 9 years ago

Can i use annotations to secure my resources or have I to use UrlMappings for that?

michaelrice commented 9 years ago

@erickmelo did you try this plugin? https://github.com/budjb/grails-jaxrs-security

erickmelo commented 9 years ago

The documentation is off-line (broken link): Error 404 (http://budjb.github.io/grails-spring-security-jaxrs/doc/manual/index.html)

michaelrice commented 9 years ago

@erickmelo yeah I dont think the docs are done yet, but I can help you get it working. We have been using that plugin for about a year now. It works really well.

budjb commented 9 years ago

Docs are up now. Great thing about the plugin is it doesn't require any configuration :) It does require jaxrs 0.11 and spring security rc4, however.

budjb commented 8 years ago

This issue was moved to budjb/grails-jaxrs#9

guramritpal-singh commented 7 years ago

Is this issue was solved? I'm having the same issue. I think this is a configuration issue. Could you please assist me?