Grails & Spring security troubles, looking for some insights?

[dn667]

Hello all,

Yesterday I started upgrading our Grails app from Acegi plugin 0.5.2 to the Spring security plugin. I'm running into a few issues, maybe anyone can help here?

After making the necessary changes (as documented by Burt Beckwith on http://burtbeckwith.github.com/grail.../manual/guide/) I was able to start the Grails app once again (woohoo!). However, logging in didn't work anymore.

Our situation is as follows: we use our Grails application pure for its application logic. Authentication is done using a username and password through webservices. As backends we use the database of the app (dao) and a LDAP backend. For now, we've disabled LDAP, to make testing easier.

This is the code which does the authentication:

Code:

def authenticate(String username, String password) {
try {
      println "Trying authentication with user " + username + " and password " + password + "."
      def tempToken = new UsernamePasswordAuthenticationToken(username, password)
      println "Temptoken is " + tempToken
      def token = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password))
      println "Authentication token received was: " + token
    } catch (AuthenticationException authenticationException) {
        return false
    }
    return true     
}

This prints to the log:

Trying authentication with user admin and password admin.
Temptoken is org.springframework.security.providers.UsernamePas swordAuthenticationToken@1f: Principal: admin; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities

And then it all stops.

The domain classes we use are rather straightforward. We do not use a class such as the User Role for the joins between people and their authorities. Instead we use a many-to-many mapping, as this has always worked for us and is easy to maintain.

Our authority domain class:

Code:

class Authority {
static hasMany = [people: Person]

/** description */
String description
/** ROLE String */
String authority = ''

String authorityType

static constraints = {
    authority(help:'x',class:'wide',blank: false,unique:true)
    description(help:'x',class:'extrawide')
    authorityType(help:'x',class:'wide')
    people(help:'x',selectSort:'username',display:false)
}   

String toString() {
      return authority;
}   
}

And our Person domain class:

Code:

class Person  {

static hasMany = [authorities: Authority]
static belongsTo = Authority

//Authority primaryGroup

/** Username */
String username
/** User Real Name*/
String userRealName
String familyName
String givenName

/** MD5 Password */
String passwd
/** enabled */
boolean enabled

String email
boolean emailShow

/** description */
String description = ''



static constraints = {
    username(blank: false, unique: true,help:'x',class:'wide')
    userRealName(blank: false,help:'x',class:'wide')
    familyName(blank: false,help:'x',class:'wide')
    givenName(blank: false,help:'x',class:'wide')
    email(help:'x',class:'wide')
    emailShow(help:'x')
    enabled(help:'x')
    passwd(blank: false,password:true,show:false,help:'x',class:'wide')
    authorities(nullable:true,help:'x',sortable:true,selectSort:'authority')        
}

String toString() {
      return username;
  }
}

In Config.Groovy, we have defined:

Code:

security {
grails.plugins.springsecurity.active = true

cacheUsers = false

grails.plugins.springsecurity.providerNames = ['daoAuthenticationProvider', 'anonymousAuthenticationProvider', 'rememberMeAuthenticationProvider']

grails.plugins.springsecurity.userLookUp.userDomainClassName = "Person"
grails.plugins.springsecurity.userLookup.passwordPropertyName = "passwd"
grails.plugins.springsecurity.authority.className = "Authority"

As far as the documentation goes, this should work by all means (and so it did for the "old" Acegi setup).

To gather some more insights I briefly activated LDAP and found the same issue. WireShark told me that no LDAP calls were made during the login process. My guess would be that either there's something wrong with the code in the Authenticate function or SpringSecurity doesn't know how to pick up our domain classes.

I'd be glad to read any insights!

[burtbeckwith]

My guess is that this is causing a problem:

Code:

security {
grails.plugins.springsecurity.active = true

cacheUsers = false

Looks like a broken copy/paste from your old Acegi config file. Unfortunately malformed Config.groovy files fail silently when you get to an invalid line like the first one and the rest of the file is ignored.

Also, "cacheUsers = false" should be "grails.plugins.springsecurity.cacheUsers = false" - all properties must be prefixed with "grails.plugins.springsecurity."

[dn667]

My guess is that this is causing a problem:

Code:

security {
grails.plugins.springsecurity.active = true

cacheUsers = false

Looks like a broken copy/paste from your old Acegi config file. Unfortunately malformed Config.groovy files fail silently when you get to an invalid line like the first one and the rest of the file is ignored.

Also, "cacheUsers = false" should be "grails.plugins.springsecurity.cacheUsers = false" - all properties must be prefixed with "grails.plugins.springsecurity."

Hi Burt,

Thanks a lot for your reply!

I didn't know that about the config files. So I just made the change but to no luck however. Next I'll try to get everything out, except for the needed parts and see if that does any good. In case you have more tips, I'd be glad to hear about'em.

Best, Raj

[dn667]

Hi Burt,

Thanks a lot for your reply!

I didn't know that about the config files. So I just made the change but to no luck however. Next I'll try to get everything out, except for the needed parts and see if that does any good. In case you have more tips, I'd be glad to hear about'em.

Best, Raj

Hi there,

I just gave it a try, but to no luck. I stripped down my Security to:

Code:

security {
	grails.plugins.springsecurity.active = true
	grails.plugins.springsecurity.cacheUsers = false
	grails.plugins.springsecurity.userLookUp.userDomainClassName = "Person"
	grails.plugins.springsecurity.authority.className = "Authority"
	grails.plugins.springsecurity.userLookup.passwordPropertyName = "passwd"
	grails.plugins.springsecurity.password.algorithm = "SHA-1"
}

I stil get an error that no access or authories were granted.

Is there any way of debugging this? More suggestions are welcome too of course

[pledbrook]

I think the problem is the 'security {}' block. You are setting options such as:

Code:

security.grails.plugins.springsecurity.active=...

when in fact the option is simply:

Code:

grails.plugins.springsecurity.active=...

[dn667]

I think the problem is the 'security {}' block. You are setting options such as:

Code:

security.grails.plugins.springsecurity.active=...

when in fact the option is simply:

Code:

grails.plugins.springsecurity.active=...

Hi Peter,

Thanks for the suggestion. I did give it a try, but to no result. Same for prefixing all settings with security. and leaving the security block out.

I just noticed this in my logs:

Code:

2011-06-06 16:54:51,319 [main] WARN  impl.SessionFactoryObjectFactory  - InitialContext did not implement EventContext
2011-06-06 16:54:51,831 [main] DEBUG hierarchicalroles.RoleHierarchyImpl  - setHierarchy() - The following role hierarchy was set: 
2011-06-06 16:54:56,334 [main] INFO  ldap.DefaultSpringSecurityContextSource  -  URL 'ldap://localhost:389', root DN is ''
2011-06-06 16:54:58,490 [main] INFO  intercept.FilterSecurityInterceptor  - Validated configuration attributes
2011-06-06 16:54:59,295 [main] INFO  search.FilterBasedLdapUserSearch  - SearchBase not set. Searches will be performed from the root:

That's quite strange. The LDAP plugin is installed, but not configured. Also, as displayed on the second line, I read "The following role hierarchy was set: ". I presume some kind of list should follow (but doesn't). That could well be the problem, right?

This error displays no matter what I configure in the config.groovy.

I guess we need to dig a bit deeper...