Quantcast
Grails Grails - user

Spring security core plugin checks for user domain class even if I use only my custom authentication provider

classic Classic list List threaded Threaded
2 messages Options
davide.cavestro
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Spring security core plugin checks for user domain class even if I use only my custom authentication provider

davide.cavestro
On some redirections I get an error message complaining
The specified user domain class 'Person' is not a domain class

With a Config.groovy like this 
//spring security configuration
grails.plugins.springsecurity.providerNames = [
	'myAuthenticationProvider'
	]
grails.plugins.springsecurity.rejectIfNoRule = false

grails.plugins.springsecurity.controllerAnnotations.staticRules = [
		'/setting/**':       ['ROLE_ADMIN'],
		'/*':            ['ROLE_USER'],
	]

// Added by the Spring Security Core plugin:
//grails.plugins.springsecurity.userLookup.userDomainClassName = 'foo.User'
//grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'foo.UserRole'
//grails.plugins.springsecurity.authority.className = 'foo.Role'
I'd expect the security plugin doesn't check for persistent user class.

I've seen SpringSecurityCoreGrailsPlugin.addControllerMethods(MetaClass, Object) does the following:

                
if (!mc.respondsTo(null, 'getAuthenticatedUser')) {
			mc.getAuthenticatedUser = { ->
				if (!ctx.springSecurityService.isLoggedIn()) return null
				String userClassName = SpringSecurityUtils.securityConfig.userLookup.userDomainClassName
				def dc = ctx.grailsApplication.getDomainClass(userClassName)
				if (!dc) {
					throw new RuntimeException("The specified user domain class '$userClassName' is not a domain class")
				}
				Class User = dc.clazz
				User.get SCH.context.authentication.principal.id
			}
		}
Isn't it possible to completely avoid having a user class that is not persistent (i.e. GrailsUser)?
I'm using plugins.spring-security-core=1.2.7.2
davide.cavestro
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Spring security core plugin checks for user domain class even if I use only my custom authentication provider

davide.cavestro
I've found an ugly workaround: I've added 
    def getAuthenticatedUser = {
        return null
    }
 to SettingController.groovy (the controller that originated the problem using a redirection)

Still wondering why the problem arises only for redirections... and if the usage of a domain user class (persistable) is mandatory even when using a custom authentication provider (not db based).
Loading...
Powered by Nabble Edit this page