Grails and Basic Auth
989 views
Skip to first unread message
dutch...@charter.net
Jan 14, 2011, 11:24:54 AM1/14/11
to groo...@googlegroups.com
Hello all:
I have a Grails app that I have implemented a number of REST services. Up to when I created these services, it was a basic web-based app with a user login page. In my case, the service calls are coming from a Android app so all I want is to make a REST call from Android to the Grails app. Therefore, I just want to do Basic Auth as part of this call. How would I alter the Grails app to support Basic Auth? All of the research I have done talks about login pages but in this case, I would not be going through a login page. The userid/password entry is on the Android app. I looked at the Authentication plugin documentation but the instructions immediately talk about login pages once you install the plugin, nothing "headless".
Thank you,
Perry Hoekstra
Colin Harrington
Jan 14, 2011, 11:35:29 AM1/14/11
to groo...@googlegroups.com
I'd try using SpringSecurityCore Checkout the documentation about "Basic and Digest Authentication"
I haven't setup basic auth, but it should be fairly straight forward. Install the plugin, configure it, configure Basic Auth, put some Secured annotations on your controller or actions and away you go.
Colin Harrington
colin.ha...@gmail.com
I haven't setup basic auth, but it should be fairly straight forward. Install the plugin, configure it, configure Basic Auth, put some Secured annotations on your controller or actions and away you go.
Colin Harrington
colin.ha...@gmail.com
--
You received this message because you are subscribed to the "Groovy Users of Minnesota" group.
To post to this group, send email to groo...@googlegroups.com
To unsubscribe from this group, send email to groovymn-u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/groovymn?hl=en
Scott Vlaminck
Jan 14, 2011, 11:44:04 AM1/14/11
to groo...@googlegroups.com
I agree with Colin.
I've found it to be pretty easy to use BASIC auth with the JSecurity
plugin and with the Spring Security plugin. At the bottom of
Authentication plugin docs at
http://www.grails.org/Authentication+Plugin it says that BASIC auth is
not yet implemented for that plugin.
Scott
-------------------------------------------------
Scott Vlaminck // sc...@refactr.com
Refactr LLC // http://refactr.com
mobile // 612-386-9382
-------------------------------------------------
dutch...@charter.net
Jan 14, 2011, 11:55:04 AM1/14/11
to groo...@googlegroups.com
Colin & Scott:
That is what I was afraid of. It is a corporate application and I
really did not want to rip out the current security mechanism and try to
implement Spring Security for the little thing I was attempting to do.
I investigated what it would take and it would involve schema
change/table migration. I was hoping to essentially bolt on Basic Auth
to the security it currently has.
Perry
Colin Harrington
Jan 14, 2011, 12:08:13 PM1/14/11
to groo...@googlegroups.com
You may be able to achieve this yourself. Checkout what Spring Security does with the BasicAuthenticationFilter and BasicAuthenticationEntryPoint. I've never done this, but it sounds pretty basic... :-)
Colin Harrington
colin.ha...@gmail.com
Colin Harrington
colin.ha...@gmail.com
Josh Reed
Jan 14, 2011, 12:08:48 PM1/14/11
to groo...@googlegroups.com
Hi Perry,
I sent this in response to your question back on Nov 1. HTML Basic Auth is straightforward to implement by hand without using one of the existing security plugins. The existing plugins have the advantage that they give you a bunch more functionality without much more work.
if (credentials[0] != user || credentials[1] != password) {
response.addHeader("WWW-Authenticate", "Basic realm=\"Your Realm\"")
response.sendError(401, "Authorization required")
return false
The only thing the snippet above requires is that you either have a fixed user/pass or you are storing them in plaintext in your database. That snippet will have to go at the beginning of each action you want to protect or you can probably do something with interceptors or filters.
Cheers,
Josh
I sent this in response to your question back on Nov 1. HTML Basic Auth is straightforward to implement by hand without using one of the existing security plugins. The existing plugins have the advantage that they give you a bunch more functionality without much more work.
<code>
def auth = request.getHeader('Authorization')
if (!auth) {
response.addHeader("WWW-Authenticate", "Basic
realm=\"Your Realm\"")
response.sendError(401, "Authorization required")
return false
}
def credentials = new String(new sun.misc.BASE64Decoder().decodeBuffer(auth
- 'Basic ')).split(':') if (credentials[0] != user || credentials[1] != password) {
response.addHeader("WWW-Authenticate", "Basic realm=\"Your Realm\"")
response.sendError(401, "Authorization required")
return false
}
</code> The only thing the snippet above requires is that you either have a fixed user/pass or you are storing them in plaintext in your database. That snippet will have to go at the beginning of each action you want to protect or you can probably do something with interceptors or filters.
Cheers,
Josh
dutch...@charter.net
Jan 14, 2011, 12:15:00 PM1/14/11
to groo...@googlegroups.com
I looked at the Spring Security plugin docs and the first thing that jumped out at me was "The plugin uses regular Grails domain classes to access its required data. At a minimum you need a 'person' and an 'authority' domain class". The current Grails app has the basic User/Role classes which tells me I would have to migrate from User/Role to Person/Authority and that sort of migration process is a non-starter for me.
Perry
On Fri, Jan 14, 2011 at 11:08 AM, Colin Harrington wrote:
You may be able to achieve this yourself. Checkout what Spring Security does with the BasicAuthenticationFilter and BasicAuthenticationEntryPoint. I've never done this, but it sounds pretty basic... :-)
Colin Harrington
On Fri, Jan 14, 2011 at 10:55 AM, < dutch...@charter.net> wrote:
Colin & Scott:
That is what I was afraid of. It is a corporate application and I really did not want to rip out the current security mechanism and try to implement Spring Security for the little thing I was attempting to do. I investigated what it would take and it would involve schema change/table migration. I was hoping to essentially bolt on Basic Auth to the security it currently has.
On Fri, Jan 14, 2011 at 10:44 AM, Scott Vlaminck wrote:
I agree with Colin.
I've found it to be pretty easy to use BASIC auth with the JSecurity
plugin and with the Spring Security plugin. At the bottom of
Authentication plugin docs at
http://www.grails.org/Authentication+Pluginit says that BASIC auth is
Michael Cameron
Jan 14, 2011, 12:18:09 PM1/14/11
to groo...@googlegroups.com
Spring security requires domain classes, and it comes with the convention of "Person" and "Authority" for class names, but those can be configured. In one of our apps, we use SystemUser, Role, and SystemUserRoleRelation classes, all managed through spring security's configuration. Read further, the docs are fairly descriptive.
Michael
Craig Atkinson
Jan 14, 2011, 12:20:16 PM1/14/11
to groo...@googlegroups.com
Hi Perry,
I'm not sure that migrating the domain classes is necessary - you can specify the domain class names for the 'User' and 'Role' to use for the Spring Security plugin. For example, here is the configuration in the Config.groovy for one of my apps:
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.practilogic.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.practilogic.UserRole'
grails.plugins.springsecurity.authority.className = 'com.practilogic.Role'
The security plugin probably will look for specify field names inside of the domain classes, for example "username" and "password" in the User class.
Hope this helps,
Craig
Scott Vlaminck
Jan 14, 2011, 12:26:20 PM1/14/11
to groo...@googlegroups.com
Perry,
If you use Josh's code, you shouldn't need to swap out anything in
your app, except adding a filter to retrieve the BASIC auth
credentials. With those, you should be able to just call
authenticationService.login(login, pass), which is provided by the
Authentication plugin.
Scott
-------------------------------------------------
Scott Vlaminck // sc...@refactr.com
Refactr LLC // http://refactr.com
mobile // 612-386-9382
-------------------------------------------------
Colin Harrington
Jan 14, 2011, 1:13:58 PM1/14/11
to groo...@googlegroups.com
Perry,
Since you said that you don't want to replace the security mechanism that you have in place, I was simply suggesting that you could learn from Spring Security (or other Plugins) so that you can implement your own basic auth.
This guy does something similar: http://www.morkeleb.com/2009/04/07/grails-ajax-login-using-basic-auth/
which also references: http://awalkingcity.com/blog/2008/03/07/basic-authentication-and-grails/
Josh's approach looks good, btw :-)
Happy trails!
Colin Harrington
colin.ha...@gmail.com
Since you said that you don't want to replace the security mechanism that you have in place, I was simply suggesting that you could learn from Spring Security (or other Plugins) so that you can implement your own basic auth.
This guy does something similar: http://www.morkeleb.com/2009/04/07/grails-ajax-login-using-basic-auth/
which also references: http://awalkingcity.com/blog/2008/03/07/basic-authentication-and-grails/
Josh's approach looks good, btw :-)
Happy trails!
Colin Harrington
colin.ha...@gmail.com
Reply all
Reply to author
Forward
0 new messages