Quantcast
Grails Grails - user

Spring-Core-Security: Missing authentication failure messages

classic Classic list List threaded Threaded
3 messages Options
Frik
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Spring-Core-Security: Missing authentication failure messages

Frik
Hi,

I had to create a custom authentication filter to get additional account information from the login form.  I have tried various ways of doing it and found the intended way of doing this based on the source code documentation.

Everything works great and as expected in all cases, except when the credentials are incorrect... instead the user gets a 401 error message.

So, I added this to the URLMappings:
"401"(controller: "login", action:"authfail")

Now, a failed login DO get the login prompt... however there is no error message with the reason why the login failed.

Any ideas what I am doing wrong?  Here are the source files that I am using.

Thanks,
Frik

NOTE:  The login failure message works fine until I add authenticationProcessingFilter in resources.groovy to get the account information.

class GwRequestHolderAuthenticationFilter extends RequestHolderAuthenticationFilter
{
public static final String SPRING_SECURITY_FORM_ACCOUNT_KEY = "j_account";


@Override
protected String obtainUsername(HttpServletRequest request)
{
String account = request.getParameter(SPRING_SECURITY_FORM_ACCOUNT_KEY);
String username = request.getParameter(usernameParameter);


if (account)
{
return account+"\\"+username
}

return username;

}
}

class GwUserDetailsService implements GrailsUserDetailsService
{
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
return loadUserByUsername(username, true)
}


UserDetails loadUserByUsername(String username, boolean loadRoles) throws AuthenticationException
{
User.withTransaction
{ status ->
//fake it for now
User user = User.findByUsername(username);
if (user)
{
return new GwUserDetails(user);
}
throw new UsernameNotFoundException("User not found", username);//NOT SHOWING LOGIN FORM AGAIN
}
}
}

class GwUserDetails extends GrailsUser
{
GwUserDetails(User u)
{
super(u.username, u.password, u.enabled, ! u.accountExpired, ! u.passwordExpired, ! u.accountLocked, u.gwGrantedAuthorities(), u.id)
}
}


URLMappings:
"/login/$action?"(controller: "login")
"/logout/$action?"(controller: "logout")
"404"(controller: "login")

resources.groovy
userDetailsService(GwUserDetailsService)


authenticationProcessingFilter(GwRequestHolderAuthenticationFilter)
{
authenticationManager = ref('authenticationManager')
rememberMeServices = ref('rememberMeServices')
}
Frik
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Spring-Core-Security: Missing authentication failure messages

Frik
Btw, I just found the answer:

resources.groovy
   authenticationProcessingFilter(RequestHolderAuthenticationFilter) { 
      def conf = SpringSecurityUtils.securityConfig 
      authenticationManager = ref('authenticationManager') 
      sessionAuthenticationStrategy = ref('sessionAuthenticationStrategy') 
      authenticationSuccessHandler = ref('authenticationSuccessHandler') 
      authenticationFailureHandler = ref('authenticationFailureHandler') 
      rememberMeServices = ref('rememberMeServices') 
      authenticationDetailsSource = ref('authenticationDetailsSource') 
      filterProcessesUrl = conf.apf.filterProcessesUrl 
      usernameParameter = conf.apf.usernameParameter 
      passwordParameter = conf.apf.passwordParameter 
      continueChainBeforeSuccessfulAuthentication = conf.apf.continueChainBeforeSuccessfulAuthentication 
      allowSessionCreation = conf.apf.allowSessionCreation 
      postOnly = conf.apf.postOnly 
   } 

Thanks for listening :)

On Nov 6, 2010, at 4:42 PM, Frik Strecker wrote:

Hi,

I had to create a custom authentication filter to get additional account information from the login form.  I have tried various ways of doing it and found the intended way of doing this based on the source code documentation.

Everything works great and as expected in all cases, except when the credentials are incorrect... instead the user gets a 401 error message.

So, I added this to the URLMappings:
"401"(controller: "login", action:"authfail")

Now, a failed login DO get the login prompt... however there is no error message with the reason why the login failed.

Any ideas what I am doing wrong?  Here are the source files that I am using.

Thanks,
Frik

NOTE:  The login failure message works fine until I add authenticationProcessingFilter in resources.groovy to get the account information.

class GwRequestHolderAuthenticationFilter extends RequestHolderAuthenticationFilter
{
public static final String SPRING_SECURITY_FORM_ACCOUNT_KEY = "j_account";

@Override
protected String obtainUsername(HttpServletRequest request)
{
String account = request.getParameter(SPRING_SECURITY_FORM_ACCOUNT_KEY);
String username = request.getParameter(usernameParameter);

if (account)
{
return account+"\\"+username
}
return username;
}
}

class GwUserDetailsService implements GrailsUserDetailsService
{
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
return loadUserByUsername(username, true)
}

UserDetails loadUserByUsername(String username, boolean loadRoles) throws AuthenticationException
{
User.withTransaction
{ status ->
//fake it for now
User user = User.findByUsername(username);
if (user)
{
return new GwUserDetails(user);
}
throw new UsernameNotFoundException("User not found", username);//NOT SHOWING LOGIN FORM AGAIN
}
}
}

class GwUserDetails extends GrailsUser
{
GwUserDetails(User u)
{
super(u.username, u.password, u.enabled, ! u.accountExpired, ! u.passwordExpired, ! u.accountLocked, u.gwGrantedAuthorities(), u.id)
}
}


URLMappings:
"/login/$action?"(controller: "login")
"/logout/$action?"(controller: "logout")
"404"(controller: "login")

resources.groovy
userDetailsService(GwUserDetailsService)

authenticationProcessingFilter(GwRequestHolderAuthenticationFilter)
{
authenticationManager = ref('authenticationManager')
rememberMeServices = ref('rememberMeServices')
}
sodastream
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Spring-Core-Security: Missing authentication failure messages

sodastream
Hi Frik, great to find your post, I'm doing almost exactly the same thing. But what was the solution really? Your quote below seems to be an unchanged fragment of SpringSecurityCoreGrailsPlugin.groovy. You must have inserted the names of your new classes somewhere?

Would it be possible for you to list your grails-app/conf/spring/resources.groovy?

Thanks,
Hakan

Frik wrote
Btw, I just found the answer:

resources.groovy
   authenticationProcessingFilter(RequestHolderAuthenticationFilter) {
      def conf = SpringSecurityUtils.securityConfig
      authenticationManager = ref('authenticationManager')
...
   }
Loading...
Powered by Nabble Edit this page