我使用Groovy 2.0在Grails 2.2.3中有一个项目。我在Spring Security中设置了使用CAS进行身份验证,使用LDAP进行用户角色。当我运行应用程序时,一切都按预期工作:任何人都可以访问/ appcontext /,而/ appcontext / admin /下的任何内容都由CAS和来自LDAP的管理员角色保护。我正在尝试使用最新版本的Grails和Groovy。我安装了GGTS 3.4.0.RELEASE并使用Grails 2.3.0和Groovy 2.1。我创建了一个新项目,创建了一个简单的域类和控制器,并添加到安全设置中。
使用Grails 2.2.3和Groovy 2.0运行带有GGTS 3.3.0.RELEASE的应用程序时的输出:(注意“服务器运行”消息的位置)
| Loading Grails 2.2.3
| Configuring classpath.
| Environment set to development.....
| Packaging Grails application.....
| Running Grails application
Configuring Spring Security Core ...
... finished configuring Spring Security Core
Configuring Spring Security CAS ...
... finished configuring Spring Security CAS
Configuring Spring Security LDAP ...
... finished configuring Spring Security LDAP
| Server running. Browse to http://localhost:8080/appcontext
使用Grails 2.3.0和Groovy 2.1运行带有GGTS 3.4.0.RELEASE的应用程序时,这是我的输出(请注意“服务器正在运行”消息的位置):
| Loading Grails 2.3.0
| Configuring classpath.
| Environment set to development.....
| Packaging Grails application.....
| Compiling 1 source files.....
| Running Grails application
| Server running. Browse to http://localhost:8080/appcontext
Configuring Spring Security Core ...
... finished configuring Spring Security Core
Configuring Spring Security LDAP ...
... finished configuring Spring Security LDAP
Error initializing the application: No bean named 'casAuthenticationProvider' is defined
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'casAuthenticationProvider' is defined
at SpringSecurityCoreGrailsPlugin$_createBeanList_closure22.doCall(SpringSecurityCoreGrailsPlugin.groovy:686)
at SpringSecurityCoreGrailsPlugin.createBeanList(SpringSecurityCoreGrailsPlugin.groovy:686)
at SpringSecurityCoreGrailsPlugin$_closure4.doCall(SpringSecurityCoreGrailsPlugin.groovy:615)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
| Error 2013-10-15 11:33:02,925 [localhost-startStop-1] ERROR context.GrailsContextLoader - Error initializing the application: No bean named 'casAuthenticationProvider' is defined
Message: No bean named 'casAuthenticationProvider' is defined
Line | Method
->> 686 | doCall in SpringSecurityCoreGrailsPlugin$_createBeanList_closure22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 615 | doCall in SpringSecurityCoreGrailsPlugin$_closure4
| 303 | innerRun . . . in java.util.concurrent.FutureTask$Sync
| 138 | run in java.util.concurrent.FutureTask
| 886 | runTask . . . in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run in ''
^ 662 | run . . . . . in java.lang.Thread
schema export unsuccessful
org.h2.jdbc.JdbcSQLException: Database is already closed (to disable automatic closing at VM shutdown, add ";DB_CLOSE_ON_EXIT=FALSE" to the db URL) [90121-170]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:329)
at org.h2.message.DbException.get(DbException.java:169)
at org.h2.message.DbException.get(DbException.java:146)
at org.h2.message.DbException.get(DbException.java:135)
at org.h2.jdbc.JdbcConnection.checkClosed(JdbcConnection.java:1391)
at org.h2.jdbc.JdbcConnection.checkClosed(JdbcConnection.java:1366)
at org.h2.jdbc.JdbcConnection.getAutoCommit(JdbcConnection.java:424)
at java.lang.Thread.run(Thread.java:662)
| Error 2013-10-15 11:33:03,071 [Thread-9] ERROR hbm2ddl.SchemaExport - schema export unsuccessful
Message: Database is already closed (to disable automatic closing at VM shutdown, add ";DB_CLOSE_ON_EXIT=FALSE" to the db URL) [90121-170]
Line | Method
->> 329 | getJdbcSQLException in org.h2.message.DbException
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 169 | get in ''
| 146 | get . . . . . . . . in ''
| 135 | get in ''
| 1391 | checkClosed . . . . in org.h2.jdbc.JdbcConnection
| 1366 | checkClosed in ''
| 424 | getAutoCommit . . . in ''
^ 662 | run in java.lang.Thread
| Error Forked Grails VM exited with error
这是我的基本安全设置:
conf / spring / resources.groovy
import org.apache.commons.lang.StringEscapeUtils
// Place your Spring DSL code here
beans = {
// load ldap roles from spring security
def ldapUrl = StringEscapeUtils.escapeJava('${ldap.defaultUrl}')
def ldapUser = StringEscapeUtils.escapeJava('${ldap.username}')
def ldapPassword = StringEscapeUtils.escapeJava('${ldap.password}')
def ldapBase = StringEscapeUtils.escapeJava('${ldap.base}')
def ldapRoleSearchBase = StringEscapeUtils.escapeJava('${ldap.roleSearchBase}')
initialDirContextFactory(org.springframework.security.ldap.DefaultSpringSecurityContextSource, ldapUrl){
userDn = ldapUser
password = ldapPassword
}
ldapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch,
ldapBase, 'sAMAccountName={0}', initialDirContextFactory){ }
ldapAuthoritiesPopulator(org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator,
initialDirContextFactory, ldapRoleSearchBase){
groupRoleAttribute = 'cn'
groupSearchFilter = 'member={0}'
searchSubtree = true
rolePrefix = 'ROLE_'
convertToUpperCase = true
ignorePartialResultException = true
}
userDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService,ldapUserSearch,ldapAuthoritiesPopulator){ }
}
conf / Config.groovy
def appName = grails.util.Metadata.current.getApplicationName()
environments {
development {
grails.logging.jul.usebridge = true
host.ip = "12.34.56.78"
host.port = "8080"
host.securePort = "8080"
ldap.username = "ldapUsername"
ldap.password = "ldapPassword"
ldap.base = "DC=foo,DC=company,DC=com"
ldap.roleSearchBase = "OU=bar,DC=foo,DC=company,DC=com"
ldap.defaultUrl = "ldap://123.45.67.89:389"
ldap.urls = "ldap://123.45.67.89:389 ldap://123.45.67.89:389"
cas.url = "https://sso.company.com/cas/"
cas.loginUrl = "https://sso.company.com/cas/login"
cas.logoutUrl = "https://sso.company.com/cas/logout"
grails.plugins.springsecurity.cas.serviceUrl = 'http://${host.ip}:${host.securePort}/' + appName +'/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://${host.ip}:${host.securePort}/' + appName +'/secure/receptor'
}
production {
grails.logging.jul.usebridge = false
grails.plugins.springsecurity.cas.serviceUrl = 'https://${host.ip}:${host.securePort}/' + appName +'/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'https://${host.ip}:${host.securePort}/' + appName +'/secure/receptor'
}
}
//spring security core config
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider']
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/admin/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/admin/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/admin/**': ['hasAnyRole("ROLE_ADMIN")'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
//cas config
grails.plugins.springsecurity.cas.loginUri = 'login'
grails.plugins.springsecurity.cas.serverUrlPrefix = '${cas.url}'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
CONF / BuildConfig.groovy
compile ":spring-security-core:1.2.7.3"
compile ":spring-security-cas:1.0.5"
compile ":spring-security-ldap:1.0.6"
修改 使用下面接受的答案的建议,我能够正确配置Spring Security CAS,但我的控制器仍然是不安全的。我认为它与那个奇怪的加载顺序有关,其中app服务器说它正在运行,然后它加载Spring Security,LDAP和CAS。同事建议取出我的InterceptUrlMap并使用@Secured注释来查看它是否是加载顺序(因为InterceptUrlMap在所有内容都启动并运行后无法更新)。我摆脱了rejectIfNoRule,securityConfigType和interceptUrlMap设置,并将@Secured(['ROLE_ADMIN'])添加到控制器。该应用程序现在按预期工作,并且该控制器是安全的。
因此,Grails 2.3.0和Spring Security的事件顺序仍然存在问题,但这是一种解决方法。
答案 0 :(得分:3)
我看到同样的事情。在Grails 2.3.0下,看起来DefaultCasSecurityConfig.groovy的CAS插件默认值未正确合并。可能值得一个JIRA。在此期间,您可以通过向Config.groovy添加默认值(覆盖您的环境)来继续前进:
grails.plugins.springsecurity.cas.active = true
grails.plugins.springsecurity.cas.loginUri = null // must be set, e.g. '/login'
grails.plugins.springsecurity.cas.sendRenew = false
grails.plugins.springsecurity.cas.serviceUrl = null // must be set, e.g. 'http://localhost:8080/myapp/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.serverUrlPrefix = null // must be set, e.g. 'http://localhost:9090/cas'
grails.plugins.springsecurity.cas.serverUrlEncoding = 'UTF-8'
grails.plugins.springsecurity.cas.key = 'grails-spring-security-cas'
grails.plugins.springsecurity.cas.artifactParameter = 'ticket'
grails.plugins.springsecurity.cas.serviceParameter = 'service'
grails.plugins.springsecurity.cas.filterProcessesUrl = '/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.proxyCallbackUrl = null // should be set, e.g. 'http://localhost:8080/myapp/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = null // should be set, e.g. '/secure/receptor'
grails.plugins.springsecurity.cas.useSingleSignout = true
答案 1 :(得分:0)
我知道这个帖子有点旧,但我在2.0-RC1中遇到同样的问题时偶然发现它。
我发现SpringSecurityCasGrailsPlugin.groovy中没有加载默认配置。这是在很久以前修复的Tomcat上部署.War文件时发生的问题。为该修复添加的代码(如果允许执行)为我修复了这个新问题。我只是强迫if条件始终为真,如下所示(代码来自SpringSecurityCasGrailsPlugin.groovy中的第105行):
if (true /*application.warDeployed*/) {
// need to load secondary here since web.xml was already built, so
// doWithWebDescriptor isn't called when deployed as war
SpringSecurityUtils.loadSecondaryConfig 'DefaultCasSecurityConfig'
conf = SpringSecurityUtils.securityConfig
}
(只有if语句更改,其余代码用于说明)。
我不知道这可能带来什么副作用(我还没知道......)。似乎run-app命令可能存在差异,使其表现得像.war部署或其他什么。无论如何,我当然会犹豫是否以这种方式部署生产应用程序,并且会选择手动创建所有配置选项,就像在接受的答案中一样。但也许这会给那些能够找出真正问题的人提供见解。