stackoom
  简体   繁体   中英

Grails Spring Security

 原文  2020-03-20 17:34:17       grails/ spring-security

Question

I am trying to create a login page which will log in into the specific account depending on which role does the user have but for some reason the spring security never recogonizes the username and password

Here is the LoginController

package login_page

import grails.plugin.springsecurity.userdetails.DefaultPostAuthenticationChecks import org.springframework.security.access.annotation.Secured

@Secured('permitAll') class LoginController extends grails.plugin.springsecurity.LoginController { 

PersonService personService

def index() {
    if (isLoggedIn()) {
        redirect uri: conf.successHandler.defaultTargetUrl
    }
    else {
        redirect action: 'auth', params: params
    }
}
def auth() {

    def conf = getConf()

    if (isLoggedIn()) {
        redirect uri: conf.successHandler.defaultTargetUrl
        return
    }

    String postUrl = request.contextPath + conf.apf.filterProcessesUrl
    render view: 'index', model: [postUrl: postUrl,
                                 rememberMeParameter: conf.rememberMe.parameter,
                                 usernameParameter: conf.apf.usernameParameter,
                                 passwordParameter: conf.apf.passwordParameter,
                                ]
}

}

and success uri is /person/LoginPage

and the LoginPage method is this

   @Secured(['ROLE_USER','ROLE_ADMIN','ROLE_SUPERADMIN'])
def LoginPage() {
      refreshCurrentUser()
    if (currentPerson == null) {
        notFound()
    }else {
        if(currentPerson.getAuthorities()[0].getAuthority()=="ROLE_SUPERADMIN"){
            redirect(controller:'superAdmin', action: 'superAdminShow', id: currentPerson.id)
        }
       else if(currentPerson.getAuthorities()[0].getAuthority()=="ROLE_ADMIN"){
            redirect(controller:'admin', action: 'adminShow', id: currentPerson.id)
        }
        else if(currentPerson.getAuthorities()[0].getAuthority()=="ROLE_USER"){
            redirect(action: 'show', id: currentPerson.id)
        }
    }
}

1 answers

solution1
 0  2020-03-21 00:34:17

This is a very simple security configuration that I put together on the fly (a Reactive Java Rest API) for a silly demo. I am by no means a security expert, but it can give you an idea of the things involved.

import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;

import XXXXXXXX.Permissions;
import XXXXXXXXX.UserPermissions;

import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;


@Configuration
@EnableWebFluxSecurity
public class ApiSecurityConfiguration implements ReactiveAuthenticationManager{

    @Autowired
    Permissions permissions;
    @Autowired
    RedisTemplate<String, Object> redisCache;

    private static final Logger logger = LoggerFactory.getLogger(ApiSecurityConfiguration.class);
    private UserPermissions userPermissionTable;

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        AuthorizeExchangeSpec authorize;
        http.formLogin().disable();
        http.csrf().disable();
        http.logout().disable();å
        http.httpBasic().disable();
        http.httpBasic().
        authenticationManager(this::authenticate);
        authorize = http.authorizeExchange();
        authorize.anyExchange().access(this::check);

        return http.build();
    }

    private Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext context) {
        return authentication.map(a ->this.checkAuthorizations(a, context)).map(granted -> new AuthorizationDecision(granted));
    }

    private boolean checkAuthorizations(Authentication a, AuthorizationContext context){
        boolean ret = false;
        String name = a.getName();
        if (a.isAuthenticated()){
            logger.info(String.format("FOUND %s, authorizing...", name));
            ret = userPermissionTable.canAccess("XXXX", context.getExchange().getRequest().getPath().value(), context.getExchange().getRequest().getMethodValue());
            logger.info(String.format("%s access granted: %B", name, ret));
        }
        return ret;
    }

    @Override
    public Mono<Authentication> authenticate(Authentication authentication) {
        CompletableFuture<UserPermissions> cup;
        Authentication auth;
        String name = null;

        auth = authentication;
        auth.setAuthenticated(false);
        try {
            name = authentication.getName();
            logger.info(String.format("Looking %s in cache...", name));
            userPermissionTable = (UserPermissions)redisCache.opsForValue().get(name);
            if (userPermissionTable == null){
                logger.info(String.format("NOT in cache, authenticating: %s ...", name));
                cup = permissions.getPermissionsForUser(name, authentication.getCredentials().toString());
                userPermissionTable = cup.get(1000, TimeUnit.MILLISECONDS);
                redisCache.opsForValue().set(name, userPermissionTable, userPermissionTable.getTTL(), TimeUnit.MINUTES);
                auth = new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), null);
                logger.info(String.format("Authenticated: %s", name));
            }
            else{
                auth = new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), null);
                redisCache.expire(name, userPermissionTable.getTTL(), TimeUnit.MINUTES);
            }
        } catch (Exception e) {
            logger.info(String.format("FAILED to authenticate: %s", name));
        }
        return Mono.just(auth);
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grails Spring Security Openid Grails 3 Spring Security Plugin Grails, Spring Security and Mongo Grails spring Security UI Grails + ZK + Spring Security Grails Spring Security Testing GRAILS Spring Security Plugins Spring security grails plugin Grails Spring Security BootStrap grails spring security core
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM