spring-security-core: https for login, http otherwise

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

spring-security-core: https for login, http otherwise

thomasbee
Hi,

previous discussions on this did not seem to have come to a conclusion:I would like to use a secure HTTPS channel for posting username/password, but a non-secure HTTP channel otherwise. I understand I should be able to reach such behaviour using grails.plugin.springsecurity.auth.forceHttps = true

The behaviour I am observing is as follows:

(a) I hit the root of my vanilla test app: http://server:8080/test 
==> "Welcome to Grails" page is returned, no authentication required. OK.

(b) I hit http://server:8080/test/app (which I have configured to require authentication)
==> I get redirected to https://server:8443/test/login/auth. OK.

(c) I login with username/password
==> I think the login works (no error), but I am redirected back to the
https://server:8443/test/login/auth

(d) I hit http://server:8080/test/app 
==> I get redirected to https://server:8443/test/login/auth. OK.

HOWEVER, if I do the whole scenario, entirely in HTTPS, starting with
https://server:8443/test 
https://server:8443/test/app ...

Then I can fully log in and I see the requested page. I assume this has to do with the fact that a session cookie established with https cannot be shared with http, or something like that. Is there any way to reach the desired behaviour? If not, I am not getting what grails.plugin.springsecurity.auth.forceHttps = true is for?

Details below.

Cheers

.t
--------------------------------

(1) I have properly set up a Tomcat with a server certificate and can connect on both http (port 8080) and 8443 (https). Using Spring security core plugin with default, auto generated User, Role classes

(2) I am bootstrapping a user instance into the file-based DB (not memory based) and checked in dbconsole that it exists:
def user = new User()
                user.username = 'tom'
                user.password = 'tom'
                user.accountExpired = false
                user.accountLocked = false
                user.passwordExpired = false
                user.enabled = true
                user.save()

(3) I have forced HTTPS for login, i.e.
grails.plugin.springsecurity.auth.forceHttps = true

(4) Rest of the config
grails.plugin.springsecurity.userLookup.userDomainClassName = 'test.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'test.UserRole'
grails.plugin.springsecurity.authority.className = 'test.Role'
grails.plugin.springsecurity.auth.forceHttps = true
grails.serverURL = "http://server:8080/test"
grails.plugin.springsecurity.portMapper.httpPort = 8080
grails.plugin.springsecurity.portMapper.httpsPort = 8443
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugin.springsecurity.interceptUrlMap = [
        '/app/**': ['isFullyAuthenticated()'],
        '/**':                  ['permitAll'],
        '/':                  ['permitAll'],
        '/index':             ['permitAll'],
        '/index.gsp':         ['permitAll'],
        '/**/js/**':          ['permitAll'],
        '/**/css/**':         ['permitAll'],
        '/**/images/**':      ['permitAll'],
        '/**/favicon.ico':    ['permitAll'],
        '/login/**':          ['permitAll'],
        '/logout/**':         ['permitAll']
 ]
Reply | Threaded
Open this post in threaded view
|

Re: spring-security-core: https for login, http otherwise

rlovtangen
Yes, it's due to the session cookie being created as a secure cookie, and cannot be used by http.
The solution we ended up with was to create a similar non-secure cookie in an interceptor (this was a Struts2 project). The code is attached below. I guess it would be quite easy to do the same in a Grails filter.
These days, though, I would rather just go with HTTPS all over.




/**
 * Because the login page is HTTPS, there is a chance that the session is initiated with a secure JSESSIONID cookie.
 * This happens if the user starts on a HTTPS page, and the session will then not be available to HTTP.
 * If the user starts on a HTTP page, the cookie will be non-secure, and the session is available in both HTTP and HTTPS.
 *
 * This interceptor makes sure the cookie is available to both HTTP and HTTPS if user starts on a HTTPS page.
 * Alternatively we could force a roundtrip to HTTP first.
 */
class SetInsecureSessionCookieInterceptor extends AbstractInterceptor {

String intercept(ActionInvocation invocation) {

if (request.isSecure() && session.isNew()) {
Cookie c = new Cookie("JSESSIONID", request.session.id)
c.setSecure false
HttpServletResponse response = (HttpServletResponse) invocation.invocationContext.get(StrutsStatics.HTTP_RESPONSE)
response.addCookie c
}

return invocation.invoke()
}

private HttpServletRequest getRequest() {
return ServletActionContext.request
}

private HttpSession getSession() {
return ServletActionContext.request.session
}

}


On 07 Feb 2014, at 11:46, thomasbee <[hidden email]> wrote:

Hi,

previous discussions on this did not seem to have come to a conclusion:I
would like to use a secure HTTPS channel for posting username/password, but
a non-secure HTTP channel otherwise. I understand I should be able to reach
such behaviour using *grails.plugin.springsecurity.auth.forceHttps = true*

The behaviour I am observing is as follows:

(a) I hit the root of my vanilla test app: http://server:8080/test
==> "Welcome to Grails" page is returned, no authentication required. OK.

(b) I hit http://server:8080/test/app (which I have configured to require
authentication)
==> I get redirected to https://server:8443/test/login/auth. OK.

(c) I login with username/password
==> I think the login works (no error), but I am redirected back to the
https://server:8443/test/login/auth

(d) I hit http://server:8080/test/app
==> I get redirected to https://server:8443/test/login/auth. OK.

HOWEVER, if I do the whole scenario, entirely in HTTPS, starting with
https://server:8443/test
https://server:8443/test/app ...

Then I can fully log in and I see the requested page. I assume this has to
do with the fact that a session cookie established with https cannot be
shared with http, or something like that. Is there any way to reach the
desired behaviour? If not, I am not getting what
*grails.plugin.springsecurity.auth.forceHttps = true* is for?

Details below.

Cheers

.t
--------------------------------

(1) I have properly set up a Tomcat with a server certificate and can
connect on both http (port 8080) and 8443 (https). Using Spring security
core plugin with default, auto generated User, Role classes

(2) I am bootstrapping a user instance into the file-based DB (not memory
based) and checked in dbconsole that it exists:
def user = new User()
user.username = 'tom'
user.password = 'tom'
user.accountExpired = false
user.accountLocked = false
user.passwordExpired = false
user.enabled = true
user.save()

(3) I have forced HTTPS for login, i.e.
grails.plugin.springsecurity.auth.forceHttps = true

(4) Rest of the config
grails.plugin.springsecurity.userLookup.userDomainClassName = 'test.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName =
'test.UserRole'
grails.plugin.springsecurity.authority.className = 'test.Role'
grails.plugin.springsecurity.auth.forceHttps = true
grails.serverURL = "http://server:8080/test"
grails.plugin.springsecurity.portMapper.httpPort = 8080
grails.plugin.springsecurity.portMapper.httpsPort = 8443
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugin.springsecurity.interceptUrlMap = [
'/app/**': ['isFullyAuthenticated()'],
'/**':                  ['permitAll'],
'/':                  ['permitAll'],
'/index':             ['permitAll'],
'/index.gsp':         ['permitAll'],
'/**/js/**':          ['permitAll'],
'/**/css/**':         ['permitAll'],
'/**/images/**':      ['permitAll'],
'/**/favicon.ico':    ['permitAll'],
'/login/**':          ['permitAll'],
'/logout/**':         ['permitAll']
]



--
View this message in context: http://grails.1312388.n4.nabble.com/spring-security-core-https-for-login-http-otherwise-tp4653916.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: spring-security-core: https for login, http otherwise

thomasbee
Hi "rlovtangen"

thanks a lot for the reply I had also seen your previous discussion. Going fully https might not be possible for us since we have to run a service on high latency networks around the globe, and AJAX calls might become too slow.

To the point: if your explanations hold, then I simply do not understand the point of the plugin configuration

grails.plugin.springsecurity.auth.forceHttps = true

what is it supposed to do?

Cheers

.t
Reply | Threaded
Open this post in threaded view
|

Re: spring-security-core: https for login, http otherwise

rlovtangen
Hi Thomas,

I haven't tried that setting myself, but it probably does what it is supposed to do when users start of by visiting the page using http. As long as the session cookie is created on a http page, it will also be used on https pages, and continue to work when routed back to http.
The problem starts when users bookmarks the login page, and therefore starts of using https, without a session cookie created on a previous http page.

Best Regards,
Ronny

On 09 Feb 2014, at 18:38, thomasbee <[hidden email]> wrote:

> Hi "rlovtangen"
>
> thanks a lot for the reply I had also seen your previous discussion. Going
> fully https might not be possible for us since we have to run a service on
> high latency networks around the globe, and AJAX calls might become too
> slow.
>
> To the point: if your explanations hold, then I simply do not understand the
> point of the plugin configuration
>
> *grails.plugin.springsecurity.auth.forceHttps = true*
>
> what is it supposed to do?
>
> Cheers
>
> .t
>
>
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/spring-security-core-https-for-login-http-otherwise-tp4653916p4653942.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email