Quantcast

RESTClient Authentication Problem with Grails/Spring Security Plugin

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RESTClient Authentication Problem with Grails/Spring Security Plugin

allanb
I added the Spring Security plugin to my Grails application, which has a REST interface.
I tested the REST interface with WizTools RESTClient and it worked fine.

Then I tried to implement the feature ins a Swing client using RESTClient (in HTTPBuilder package).  
The HTTP GET just returned status 200 (OK), but authorization obviously did  not work, since nothing happened in the Grails server. After much trial and error I came up with this test that worked:

        RESTClient rc = new RESTClient('http://localhost:8080/grails/rest/ping')
//        rc.auth.basic "default", "password"   // username: "default", password: "password": Doesn't work!

       def resp = rc.get(
                requestContentType : XML,
                headers:['Authorization': "Basic ZGVmYXVsdDpwYXNzd29yZA=="]
        );

where "ZGVmYXVsdDpwYXNzd29yZA==" is the base64 encoded string for user:passwd ("default:password").

This works, so it would seem to me that there is something wrong with the implementation of rc.auth.basic. Or am I missing something?

Any ideas?

--
Allan


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RE[grails-user] STClient Authentication Problem with Grails/Spring Security Plugin

Tom Nichols
Nope, basic auth should do exactly that -- pass the "Authorization:
Basic ..." header in your request.  Try turning on header debug
logging as described in the following link, and see what the header
looks like:
http://groovy.codehaus.org/modules/http-builder/doc/index.html#Logging_and_Debugging

-Tom

On Sat, Oct 17, 2009 at 4:37 PM, allanb <[hidden email]> wrote:

>
> I added the Spring Security plugin to my Grails application, which has a REST
> interface.
> I tested the REST interface with WizTools RESTClient and it worked fine.
>
> Then I tried to implement the feature ins a Swing client using RESTClient
> (in HTTPBuilder package).
> The HTTP GET just returned status 200 (OK), but authorization obviously did
> not work, since nothing happened in the Grails server. After much trial and
> error I came up with this test that worked:
>
>        RESTClient rc = new
> RESTClient('http://localhost:8080/grails/rest/ping')
> //        rc.auth.basic "default", "password"   // username: "default",
> password: "password": Doesn't work!
>
>       def resp = rc.get(
>                requestContentType : XML,
>                headers:['Authorization': "Basic ZGVmYXVsdDpwYXNzd29yZA=="]
>        );
>
> where "ZGVmYXVsdDpwYXNzd29yZA==" is the base64 encoded string for
> user:passwd ("default:password").
>
> This works, so it would seem to me that there is something wrong with the
> implementation of rc.auth.basic. Or am I missing something?
>
> Any ideas?
>
> --
> Allan
>
>
>
> --
> View this message in context: http://www.nabble.com/RESTClient-Authentication-Problem-with-Grails-Spring-Security-Plugin-tp25941598p25941598.html
> Sent from the grails - user mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RE[grails-user] STClient Authentication Problem with Grails/Spring Security Plugin

Allan Brighton
In fact the authorization header was not being sent, because Grails (or the Spring Security
plugin) was replying with HTTP code 302 (Found), instead of 401 (Unauthorized).
I discovered along with the fix that is needed here:

 http://realultimateprogramming.blogspot.com/2008/08/grails-acegi-plugin-and-http-basic.html

In short, the fix is to edit grails-app/conf/spring/resources.groovy and insert this code in the beans
section:

    authenticationEntryPoint(org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint) {
        realmName = 'Grails Realm'
    }

Where 'Grails Realm' is the value of realmName (which I found in $HOME/.grails/1.1.1/projects/grails/plugins/acegi-0.5.2/grails-app/conf/DefaultSecurityConfig.groovy).

One of the comments in the above link says: "This is fixed in the trunk and will be in the 0.6 release."
I guess that refers to the 0.6 release of the Spring Security plugin (Acegi, currently at 0.5.2).

--
Allan

<quote author="Tom Nichols">
Nope, basic auth should do exactly that -- pass the "Authorization:
Basic ..." header in your request.  Try turning on header debug
logging as described in the following link, and see what the header
looks like:
http://groovy.codehaus.org/modules/http-builder/doc/index.html#Logging_and_Debugging

-Tom

On Sat, Oct 17, 2009 at 4:37 PM, allanb wrote:
>
> I added the Spring Security plugin to my Grails application, which has a REST
> interface.
> I tested the REST interface with WizTools RESTClient and it worked fine.
>
> Then I tried to implement the feature ins a Swing client using RESTClient
> (in HTTPBuilder package).
> The HTTP GET just returned status 200 (OK), but authorization obviously did
> not work, since nothing happened in the Grails server. After much trial and
> error I came up with this test that worked:
>
>        RESTClient rc = new
> RESTClient('http://localhost:8080/grails/rest/ping')
> //        rc.auth.basic "default", "password"   // username: "default",
> password: "password": Doesn't work!
>
>       def resp = rc.get(
>                requestContentType : XML,
>                headers:['Authorization': "Basic ZGVmYXVsdDpwYXNzd29yZA=="]
>        );
>
> where "ZGVmYXVsdDpwYXNzd29yZA==" is the base64 encoded string for
> user:passwd ("default:password").
>
> This works, so it would seem to me that there is something wrong with the
> implementation of rc.auth.basic. Or am I missing something?
>
> Any ideas?
>
> --
> Allan
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re: RE[grails-user] STClient Authentication Problem with Grails/Spring Security Plugin

Tom Nichols
That makes sense; Apache HttpClient's auth doesn't get sent except in
response to a 401.  Although there is documentation (search for
httpclient preemptive auth) on how to make HC send the auth header
before getting a 401.

-Tom


On Sun, Oct 18, 2009 at 11:46 AM, Allan Brighton
<[hidden email]> wrote:

>
> In fact the authorization header was not being sent, because Grails (or the
> Spring Security
> plugin) was replying with HTTP code 302 (Found), instead of 401
> (Unauthorized).
> I discovered along with the fix that is needed here:
>
>
> http://realultimateprogramming.blogspot.com/2008/08/grails-acegi-plugin-and-http-basic.html
>
> In short, the fix is to edit grails-app/conf/spring/resources.groovy and
> insert this code in the beans
> section:
>
>
> authenticationEntryPoint(org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint)
> {
>        realmName = 'Grails Realm'
>    }
>
> Where 'Grails Realm' is the value of realmName (which I found in
> $HOME/.grails/1.1.1/projects/grails/plugins/acegi-0.5.2/grails-app/conf/DefaultSecurityConfig.groovy).
>
> One of the comments in the above link says: "This is fixed in the trunk and
> will be in the 0.6 release."
> I guess that refers to the 0.6 release of the Spring Security plugin (Acegi,
> currently at 0.5.2).
>
> --
> Allan
>
>
> Nope, basic auth should do exactly that -- pass the "Authorization:
> Basic ..." header in your request.  Try turning on header debug
> logging as described in the following link, and see what the header
> looks like:
> http://groovy.codehaus.org/modules/http-builder/doc/index.html#Logging_and_Debugging
>
> -Tom
>
> On Sat, Oct 17, 2009 at 4:37 PM, allanb wrote:
>>
>> I added the Spring Security plugin to my Grails application, which has a
>> REST
>> interface.
>> I tested the REST interface with WizTools RESTClient and it worked fine.
>>
>> Then I tried to implement the feature ins a Swing client using RESTClient
>> (in HTTPBuilder package).
>> The HTTP GET just returned status 200 (OK), but authorization obviously
>> did
>> not work, since nothing happened in the Grails server. After much trial
>> and
>> error I came up with this test that worked:
>>
>>        RESTClient rc = new
>> RESTClient('http://localhost:8080/grails/rest/ping')
>> //        rc.auth.basic "default", "password"   // username: "default",
>> password: "password": Doesn't work!
>>
>>       def resp = rc.get(
>>                requestContentType : XML,
>>                headers:['Authorization': "Basic ZGVmYXVsdDpwYXNzd29yZA=="]
>>        );
>>
>> where "ZGVmYXVsdDpwYXNzd29yZA==" is the base64 encoded string for
>> user:passwd ("default:password").
>>
>> This works, so it would seem to me that there is something wrong with the
>> implementation of rc.auth.basic. Or am I missing something?
>>
>> Any ideas?
>>
>> --
>> Allan
>>
>>
>
> --
> View this message in context: http://www.nabble.com/RESTClient-Authentication-Problem-with-Grails-Spring-Security-Plugin-tp25941598p25947797.html
> Sent from the grails - user mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Loading...