Spring Security and testing with Curl

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Spring Security and testing with Curl

Alex Wouda-2
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

Antoine Roux
With curl -u, I think you are trying to authenticate with a server authentication mechanism like HTTP basic authentication or anything else. I do not think this is natively supported by Spring Security, but I may be wrong. Did you do some special setup for this ?
I do not see how curl would know that you have to send parameters j_username and j_password as POST or things like this.



On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex

Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

Alex Wouda-2
yes you're right I guess. Next week we're gonna try to enable a part of the controllers being secured with basic authentication and the user-interface part with form based login. Probably I was trying something which I'm not supposed to use.

thx

Alex
Op 29 apr 2010, om 19:16 heeft Antoine Roux het volgende geschreven:

With curl -u, I think you are trying to authenticate with a server authentication mechanism like HTTP basic authentication or anything else. I do not think this is natively supported by Spring Security, but I may be wrong. Did you do some special setup for this ?
I do not see how curl would know that you have to send parameters j_username and j_password as POST or things like this.



On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex


Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

Antoine Roux
I think you can still implement it with Spring Security, but you may have to do a bit more work. Googling "Spring security basic auth" gives a couple results.


On Thu, Apr 29, 2010 at 10:05 PM, Alex Wouda <[hidden email]> wrote:
yes you're right I guess. Next week we're gonna try to enable a part of the controllers being secured with basic authentication and the user-interface part with form based login. Probably I was trying something which I'm not supposed to use.

thx

Alex
Op 29 apr 2010, om 19:16 heeft Antoine Roux het volgende geschreven:

With curl -u, I think you are trying to authenticate with a server authentication mechanism like HTTP basic authentication or anything else. I do not think this is natively supported by Spring Security, but I may be wrong. Did you do some special setup for this ?
I do not see how curl would know that you have to send parameters j_username and j_password as POST or things like this.



On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex



Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

smaldini
Here a sample grails filter to achieve that :

class ServicesFilters {

  def filters = {
    loginCheck(controller: 'protected', action: '*') {
      before = {
        def authString = request.getHeader('Authorization')

        if (!authString) {
          response.status = 401
          response.addHeader 'WWW-Authenticate','Basic realm=BasicAuth-WebServices'
          response.addHeader '"Content-Length','0'
          return false
        }

        def encodedPair = authString - 'Basic '
        def decodedPair = new String(new sun.misc.BASE64Decoder().decodeBuffer(encodedPair));
        def credentials = decodedPair.split(':')

        def userService = grailsApplication.mainContext.getBean('UserServiceNoAOP')
        def user = userService.authentifyUser(credentials[0], credentials[1])

        if (user) {
          request.isUser = user
        }
        else {
          response.sendError(403)
        }
      }

    }
  }
}

On Thu, Apr 29, 2010 at 11:00 PM, Antoine Roux <[hidden email]> wrote:
I think you can still implement it with Spring Security, but you may have to do a bit more work. Googling "Spring security basic auth" gives a couple results.



On Thu, Apr 29, 2010 at 10:05 PM, Alex Wouda <[hidden email]> wrote:
yes you're right I guess. Next week we're gonna try to enable a part of the controllers being secured with basic authentication and the user-interface part with form based login. Probably I was trying something which I'm not supposed to use.

thx

Alex
Op 29 apr 2010, om 19:16 heeft Antoine Roux het volgende geschreven:

With curl -u, I think you are trying to authenticate with a server authentication mechanism like HTTP basic authentication or anything else. I do not think this is natively supported by Spring Security, but I may be wrong. Did you do some special setup for this ?
I do not see how curl would know that you have to send parameters j_username and j_password as POST or things like this.



On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex






--
Stéphane MALDINI
doc4web consultant
[hidden email]
--
http://fr.linkedin.com/in/smaldini
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

smaldini
The userService part is easily overridable by authenticateService or some forwarding to the j_security_check page.

On Thu, Apr 29, 2010 at 11:08 PM, Stephane Maldini <[hidden email]> wrote:
Here a sample grails filter to achieve that :

class ServicesFilters {

  def filters = {
    loginCheck(controller: 'protected', action: '*') {
      before = {
        def authString = request.getHeader('Authorization')

        if (!authString) {
          response.status = 401
          response.addHeader 'WWW-Authenticate','Basic realm=BasicAuth-WebServices'
          response.addHeader '"Content-Length','0'
          return false
        }

        def encodedPair = authString - 'Basic '
        def decodedPair = new String(new sun.misc.BASE64Decoder().decodeBuffer(encodedPair));
        def credentials = decodedPair.split(':')

        def userService = grailsApplication.mainContext.getBean('UserServiceNoAOP')
        def user = userService.authentifyUser(credentials[0], credentials[1])

        if (user) {
          request.isUser = user
        }
        else {
          response.sendError(403)

        }
      }

    }
  }
}

On Thu, Apr 29, 2010 at 11:00 PM, Antoine Roux <[hidden email]> wrote:
I think you can still implement it with Spring Security, but you may have to do a bit more work. Googling "Spring security basic auth" gives a couple results.



On Thu, Apr 29, 2010 at 10:05 PM, Alex Wouda <[hidden email]> wrote:
yes you're right I guess. Next week we're gonna try to enable a part of the controllers being secured with basic authentication and the user-interface part with form based login. Probably I was trying something which I'm not supposed to use.

thx

Alex
Op 29 apr 2010, om 19:16 heeft Antoine Roux het volgende geschreven:

With curl -u, I think you are trying to authenticate with a server authentication mechanism like HTTP basic authentication or anything else. I do not think this is natively supported by Spring Security, but I may be wrong. Did you do some special setup for this ?
I do not see how curl would know that you have to send parameters j_username and j_password as POST or things like this.



On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex






--
Stéphane MALDINI
doc4web consultant
[hidden email]
--
http://fr.linkedin.com/in/smaldini



--
Stéphane MALDINI
doc4web consultant
[hidden email]
--
http://fr.linkedin.com/in/smaldini
Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

burtbeckwith
In reply to this post by smaldini
There's no need for a filter, the plugin has support for Basic auth.

Burt

> Here a sample grails filter to achieve that :
>
> class ServicesFilters {
>
>   def filters = {
>     loginCheck(controller: 'protected', action: '*') {
>       before = {
>         def authString = request.getHeader('Authorization')
>
>         if (!authString) {
>           response.status = 401
>           response.addHeader 'WWW-Authenticate','Basic
> realm=BasicAuth-WebServices'
>           response.addHeader '"Content-Length','0'
>           return false
>         }
>
>         def encodedPair = authString - 'Basic '
>         def decodedPair = new String(new
> sun.misc.BASE64Decoder().decodeBuffer(encodedPair));
>         def credentials = decodedPair.split(':')
>
>         def userService =
> grailsApplication.mainContext.getBean('UserServiceNoAOP')
>         def user = userService.authentifyUser(credentials[0],
> credentials[1])
>
>         if (user) {
>           request.isUser = user
>         }
>         else {
>           response.sendError(403)
>         }
>       }
>
>     }
>   }
> }
>
> On Thu, Apr 29, 2010 at 11:00 PM, Antoine Roux <[hidden email]
> > wrote:
>
> > I think you can still implement it with Spring Security, but you may have
> > to do a bit more work. Googling "Spring security basic auth" gives a couple
> > results.
> >
> >
> >
> > On Thu, Apr 29, 2010 at 10:05 PM, Alex Wouda <[hidden email]> wrote:
> >
> >> yes you're right I guess. Next week we're gonna try to enable a part of
> >> the controllers being secured with basic authentication and the
> >> user-interface part with form based login. Probably I was trying something
> >> which I'm not supposed to use.
> >>
> >> thx
> >>
> >> Alex
> >> Op 29 apr 2010, om 19:16 heeft Antoine Roux het volgende geschreven:
> >>
> >> With curl -u, I think you are trying to authenticate with a server
> >> authentication mechanism like HTTP basic authentication or anything else. I
> >> do not think this is natively supported by Spring Security, but I may be
> >> wrong. Did you do some special setup for this ?
> >> I do not see how curl would know that you have to send parameters
> >> j_username and j_password as POST or things like this.
> >>
> >>
> >>
> >> On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
> >>
> >>> I've create a simple app to test with Spring Security and curl.
> >>> When I enable security on the secureController like in the basic
> >>> tutorial, I have to login and the result is rendered correctly.
> >>>
> >>> When I call the same url with
> >>> curl -u admin http://localhost:8080/GrailsTests/secure
> >>>
> >>> It prompts for a password, however when I provide it it returns nothing.
> >>> Also my test println statement is not executed in the console.
> >>>
> >>> I've tried all authenication flags as described here (
> >>> http://www.readylines.com/curl-oneliners-examples) but to no avail.
> >>>
> >>> I'm kinda stuck.
> >>>
> >>> Alex
> >>>
> >>
> >>
> >>
> >
>
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Spring Security and testing with Curl

Alex Wouda-2
In reply to this post by smaldini
ok, basic auth shouldn't be a problem according to your replies. Thanks.

I'm off for a few days and forwarded your answers to colleguae's, so when I'm back they probably implemented it ;-)

Alex

On Thu, Apr 29, 2010 at 11:09 PM, Stephane Maldini <[hidden email]> wrote:
The userService part is easily overridable by authenticateService or some forwarding to the j_security_check page.


On Thu, Apr 29, 2010 at 11:08 PM, Stephane Maldini <[hidden email]> wrote:
Here a sample grails filter to achieve that :

class ServicesFilters {

  def filters = {
    loginCheck(controller: 'protected', action: '*') {
      before = {
        def authString = request.getHeader('Authorization')

        if (!authString) {
          response.status = 401
          response.addHeader 'WWW-Authenticate','Basic realm=BasicAuth-WebServices'
          response.addHeader '"Content-Length','0'
          return false
        }

        def encodedPair = authString - 'Basic '
        def decodedPair = new String(new sun.misc.BASE64Decoder().decodeBuffer(encodedPair));
        def credentials = decodedPair.split(':')

        def userService = grailsApplication.mainContext.getBean('UserServiceNoAOP')
        def user = userService.authentifyUser(credentials[0], credentials[1])

        if (user) {
          request.isUser = user
        }
        else {
          response.sendError(403)

        }
      }

    }
  }
}

On Thu, Apr 29, 2010 at 11:00 PM, Antoine Roux <[hidden email]> wrote:
I think you can still implement it with Spring Security, but you may have to do a bit more work. Googling "Spring security basic auth" gives a couple results.



On Thu, Apr 29, 2010 at 10:05 PM, Alex Wouda <[hidden email]> wrote:
yes you're right I guess. Next week we're gonna try to enable a part of the controllers being secured with basic authentication and the user-interface part with form based login. Probably I was trying something which I'm not supposed to use.

thx

Alex
Op 29 apr 2010, om 19:16 heeft Antoine Roux het volgende geschreven:

With curl -u, I think you are trying to authenticate with a server authentication mechanism like HTTP basic authentication or anything else. I do not think this is natively supported by Spring Security, but I may be wrong. Did you do some special setup for this ?
I do not see how curl would know that you have to send parameters j_username and j_password as POST or things like this.



On Thu, Apr 29, 2010 at 3:42 PM, Alex Wouda <[hidden email]> wrote:
I've create a simple app to test with Spring Security and curl.
When I enable security on the secureController like in the basic tutorial, I have to login and the result is rendered correctly.

When I call the same url with
curl -u admin http://localhost:8080/GrailsTests/secure

It prompts for a password, however when I provide it it returns nothing. Also my test println statement is not executed in the console.

I've tried all authenication flags as described here (http://www.readylines.com/curl-oneliners-examples) but to no avail.

I'm kinda stuck.

Alex






--
Stéphane MALDINI
doc4web consultant
[hidden email]
--
http://fr.linkedin.com/in/smaldini



--
Stéphane MALDINI
doc4web consultant
[hidden email]
--
http://fr.linkedin.com/in/smaldini