Home Spring security "Not logged in or anonymous" or "premission denied" catch 22
Reply: 0

Spring security "Not logged in or anonymous" or "premission denied" catch 22

user3856
1#
user3856 Published in May 22, 2018, 4:35 am

I am trying to move my grails 3 app to spring security shiro and I seem to be stuck in a catch 22 regarding user login.

If I allow the signIn method outside access in the interceptUrlMap it says anonymous user cannot be logged in and I see that it is trying to login with the following security principle (which is the anonymous user used with permitAll access) :

org.springframework.security.core.userdetails.User@dc730200: Username: __grails.anonymous.user__; Password: [PROTECTED]; Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false; Granted Authorities: ROLE_ANONYMOUS

If I take the access away then I am denied permission to post to the method.

I know that the permitAll translates to IS_AUTHENTICATED_ANONYMOUSLY but how do I allow the as yet unknown user the opportunity to sign in without spring security setting the security principle to an anonymous user?

application.groovy config:

grails.plugin.springsecurity.debug.useFilter = true

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.securityConfigType = 'InterceptUrlMap'
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.myApp.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.myApp.UserRole'
grails.plugin.springsecurity.authority.className = 'com.myApp.Role'

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/',               access: ['permitAll']],
    [pattern: '/error',          access: ['permitAll']],
    [pattern: '/index',          access: ['permitAll']],
    [pattern: '/index.gsp',      access: ['permitAll']],
    [pattern: '/shutdown',       access: ['permitAll']],
    [pattern: '/assets/**',      access: ['permitAll']],
    [pattern: '/**/js/**',       access: ['permitAll']],
    [pattern: '/**/css/**',      access: ['permitAll']],
    [pattern: '/**/images/**',   access: ['permitAll']],
    [pattern: '/**/favicon.ico', access: ['permitAll']]
]

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**',      filters: 'none'],
    [pattern: '/**/js/**',       filters: 'none'],
    [pattern: '/**/css/**',      filters: 'none'],
    [pattern: '/**/images/**',   filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],
    [pattern: '/**',             filters: 'JOINED_FILTERS']
]   

grails.plugin.springsecurity.interceptUrlMap = [
   [pattern: '/',               access: ['permitAll']],
   [pattern: '/error',          access: ['permitAll']],
   [pattern: '/index',          access: ['permitAll']],
   [pattern: '/index.gsp',      access: ['permitAll']],
   [pattern: '/shutdown',       access: ['permitAll']],
   [pattern: '/assets/**',      access: ['permitAll']],
   [pattern: '/**/js/**',       access: ['permitAll']],
   [pattern: '/**/css/**',      access: ['permitAll']],
   [pattern: '/**/images/**',   access: ['permitAll']],
   [pattern: '/**/favicon.ico', access: ['permitAll']],
   [pattern: '/login/auth/**',       access: ['permitAll']],
   [pattern: '/auth/**',       access: ['permitAll']],
   [pattern: '/logout/**',      access: ['permitAll']]
]

grails.plugin.springsecurity.shiro.useCache = true
grails.plugin.springsecurity.shiro.active = true
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.shiro.permissionDomainClassName = 'com.myApp.Permission'

Update: I can do this manually via:

Authentication preAuthentication = new UsernamePasswordAuthenticationToken(param.user, param.password)
def authentication = authenticationManager.authenticate(preAuthentication)
SecurityContextHolder.getContext().setAuthentication(authentication)

But this seems a hacky to get around the problem

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.308303 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO