跳至主要内容

Create a restful application with AngularJS and Grails(3): Authentication and Authorization


Authentication and Authorization

Grails provides a series of built-in authentication solutions, such as Form, Basic, Digest etc. And there are several additional plugins which provides CAS, OAuth authentication, please search them from the official Grails.org website.
For API centric applications, Basic is the simplest authentication.

Configure Basic authentication

By default, Form based authentication is enabled, it is easy to configure Basic authentication in Grails application.
Includes the following line in the Config.groovy file.
grails.plugin.springsecurity.useBasicAuth = true
Basic authentication includes a specific basicExceptionTranslationFilter, so the general-purpose exceptionTranslationFilter can be excluded.
grails.plugin.springsecurity.filterChain.chainMap = [
 '/api/**':'JOINED_FILTERS,-exceptionTranslationFilter',
 '/**':JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
 ]
All resources matched /api/** will be protected and require authentication.
Try access the a protected resource, for example, http://localhost:8080/angularjs-grails-sample/api/books.json. There is a browser prompt popup for requiring username and password.

Stateless API

By default, Grails will create session to store the client principle, it is useful for a web application. For a REST API, it is usually designated as stateless.
Spring security provides a stateless option in http element. In Grails, you could have to configure it yourself.
In the resources.groovy file, declare a SecurityContextRepository andSecurityContextPersistenceFilter bean.
statelessSecurityContextRepository(NullSecurityContextRepository) {}

statelessSecurityContextPersistenceFilter(SecurityContextPersistenceFilter, ref('statelessSecurityContextRepository')) { }
The SecurityContextPersistenceFilter is responsible for session creation, and it delegates the real work to SecurityContextRepository bean.NullSecurityContextRepository is an implementation of SecurityContextRepository which does not create the user data in HttpSession, it is suitable for stateless case.
Apply it in Config.groovy.
grails.plugin.springsecurity.filterChain.chainMap = [
 '/api/**': 'statelessSecurityContextPersistenceFilter,logoutFilter,authenticationProcessingFilter,customBasicAuthenticationFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter,basicExceptionTranslationFilter,filterInvocationInterceptor',
 ]
In the above, all filters used for /api/ url pattern are listed one by one.
There are some options for the configuration of the filters.
  • If the value includes a JOINED_FILTERS, it is indicates it will includes all default filters. You can append -filterName to exclude the filter from the default filter list. For example,
   JOINED_FILTERS,-basicExceptionTranslationFilter
It will include all filters but excludes basicExceptionTranslationFilter.
  • If the value is none, security will skip the url pattern.
  • You can specify the filters one by one.
Note: The exclusion can be used only with JOINED_FILTERS option.
I also create a custom BasicAuthenticationEntryPoint.
public class CustomBasicAuthenticationEntryPoint extends
  BasicAuthenticationEntryPoint {

 private static Logger log = LoggerFactory
   .getLogger(CustomBasicAuthenticationEntryPoint.class);

 @Override
 public void commence(HttpServletRequest request,
   HttpServletResponse response, AuthenticationException authException)
   throws IOException, ServletException {
  // TODO Auto-generated method stub
  // super.commence(request, response, authException);
  log.debug("call @ commence...");
  response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
 }

}
The purpose is simple, it maps all authentication and authorization exception to 401 status. This will simplify the frontend AngluarJS processing work.
Configure this AuthenticationEntryPoint in resources.groovy.
customBasicAuthenticationEntryPoint(CustomBasicAuthenticationEntryPoint) {
 realmName = SpringSecurityUtils.securityConfig.basic.realmName // 'Grails Realm'
}

customBasicAuthenticationFilter(BasicAuthenticationFilter, ref('authenticationManager'), ref('customBasicAuthenticationEntryPoint')) {
 authenticationDetailsSource = ref('authenticationDetailsSource')
 rememberMeServices = ref('rememberMeServices')
 credentialsCharset = SpringSecurityUtils.securityConfig.basic.credentialsCharset // 'UTF-8'
}

basicAccessDeniedHandler(AccessDeniedHandlerImpl)

basicRequestCache(NullRequestCache)

basicExceptionTranslationFilter(ExceptionTranslationFilter, ref('customBasicAuthenticationEntryPoint'), ref('basicRequestCache')) {
 accessDeniedHandler = ref('basicAccessDeniedHandler')
 authenticationTrustResolver = ref('authenticationTrustResolver')
 throwableAnalyzer = ref('throwableAnalyzer')
}

Sample codes

评论

此博客中的热门博文

Build a Reactive application with Angular 5 and Spring Boot 2.0

I have created a post to describe Reactive programming supports in Spring 5 and its subprojects, all codes of this article are updated the latest Spring 5 RELEASE, check spring-reactive-sample under my Github account.
In this post, I will create a simple blog system, including:
A user can sign in and sign out.An authenticated user can create a post.An authenticated user can update a post.Only the user who has ADMIN role can delete a post.All users(including anonymous users) can view post list and post details.An authenticated user can add his comments to a certain post. The backend will be built with the latest Spring 5 reactive stack, including:
Spring Boot 2.0, at the moment the latest version is 2.0.0.M7Spring Data MongoDB supports reactive operations for MongoDBSpring Session adds reactive support for WebSessionSpring Security 5 aligns with Spring 5 reactive stack The frontend is an Angular based SPA and it will be generated by Angular CLI.
The source code is hosted on Github, …

Activating CDI in JSF 2.3

Activating CDI in JSF 2.3 When I upgraed my Java EE 7 sample to the newest Java EE 8, the first thing confused me is the CDI beans are not recoganized in Facelects template in a JSF 2.3 based web applicaiton, which is working in the development version, but in the final release version, they are always resolved as null. I filed an issue on Mojarra and discussed it with the developers from communities and the JSF experts.
According to the content of README, In a JSF 2.3 application, to activate CDI support, declaring a 2.3 versioned faces-config.xml and adding javax.faces.ENABLE_CDI_RESOLVER_CHAIN in web.xml is not enough, you have to declare @FacesConfig annotated class to enable CDI.
Here is the steps I created a workable JSF 2.3 applicatoin in Java EE 8.
Create a Java web application, this can be done easily by NetBeans IDE, or generated by Maven archetype, for exmaple.
$ mvn archetype:generate -DgroupId=com.example -DartifactId=demo -DarchetypeArtifactId=maven-archetype-w…

JSF 2.3:Websocket support

Websocket support One of the most attractive features is JSF 2.3 added native websocket support, it means you can write real-time applications with JSF and no need extra effort.
To enable websocket support, you have to add javax.faces.ENABLE_WEBSOCKET_ENDPOINT in web.xml.
<context-param> <param-name>javax.faces.ENABLE_WEBSOCKET_ENDPOINT</param-name> <param-value>true</param-value> </context-param> Hello Websocket Let's start with a simple example.
@ViewScoped@Named("helloBean") publicclassHelloBeanimplementsSerializable { privatestaticfinalLoggerLOG=Logger.getLogger(HelloBean.class.getName()); @Inject@PushPushContext helloChannel; String message; publicvoidsendMessage() { LOG.log(Level.INFO, "send push message"); this.sendPushMessage("hello"); } privatevoidsendPushMessage(Objectmessage) { helloChannel.send(""+ message +" at &…