Context Navigation

source: branches/TaskRewrite/src/plugins/acegi-0.5.1/AcegiGrailsPlugin.groovy @ 61

Last change on this file since 61 was 58, checked in by gav, 17 years ago
Configure BootStrap? with latest concepts. Install and setup Acegi plugin with custom views. Test Fixture plugin in a test app but couldn't get it to work with Acegi encodePassword() so gave up.
File size: 33.3 KB

Rev	Line
[58]	1	import grails.util.GrailsUtil
	2
	3	import org.codehaus.groovy.grails.commons.ControllerArtefactHandler
	4
	5	import org.codehaus.groovy.grails.plugins.springsecurity.AnnotationFilterInvocationDefinition
	6	import org.codehaus.groovy.grails.plugins.springsecurity.AuthenticatedVetoableDecisionManager
	7	import org.codehaus.groovy.grails.plugins.springsecurity.AuthorizeTools
	8	import org.codehaus.groovy.grails.plugins.springsecurity.GrailsAccessDeniedHandlerImpl
	9	import org.codehaus.groovy.grails.plugins.springsecurity.GrailsAuthenticationProcessingFilter
	10	import org.codehaus.groovy.grails.plugins.springsecurity.GrailsDaoAuthenticationProvider
	11	import org.codehaus.groovy.grails.plugins.springsecurity.GrailsDaoImpl
	12	import org.codehaus.groovy.grails.plugins.springsecurity.IpAddressFilter
	13	import org.codehaus.groovy.grails.plugins.springsecurity.LogoutFilterFactoryBean
	14	import org.codehaus.groovy.grails.plugins.springsecurity.QuietMethodSecurityInterceptor
	15	import org.codehaus.groovy.grails.plugins.springsecurity.RequestmapFilterInvocationDefinition
	16	import org.codehaus.groovy.grails.plugins.springsecurity.Secured as SecuredController
	17	import org.codehaus.groovy.grails.plugins.springsecurity.SecurityAnnotationAttributes
	18	import org.codehaus.groovy.grails.plugins.springsecurity.SecurityEventListener
	19	import org.codehaus.groovy.grails.plugins.springsecurity.WithAjaxAuthenticationProcessingFilterEntryPoint
	20
	21	import org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator
	22	import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator
	23	import org.springframework.beans.factory.config.RuntimeBeanReference
	24	import org.springframework.cache.ehcache.EhCacheFactoryBean
	25	import org.springframework.cache.ehcache.EhCacheManagerFactoryBean
	26	import org.springframework.security.annotation.Secured as SecuredService
	27	import org.springframework.security.context.HttpSessionContextIntegrationFilter
	28	import org.springframework.security.context.SecurityContextHolder as SCH
	29	import org.springframework.security.event.authentication.LoggerListener
	30	import org.springframework.security.intercept.method.MethodDefinitionAttributes
	31	import org.springframework.security.intercept.web.FilterSecurityInterceptor
	32	import org.springframework.security.ui.ExceptionTranslationFilter
	33	import org.springframework.security.ui.basicauth.BasicProcessingFilter
	34	import org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint
	35	import org.springframework.security.ui.logout.LogoutHandler
	36	import org.springframework.security.ui.logout.SecurityContextLogoutHandler
	37	import org.springframework.security.ui.rememberme.NullRememberMeServices
	38	import org.springframework.security.ui.rememberme.RememberMeProcessingFilter
	39	import org.springframework.security.ui.rememberme.TokenBasedRememberMeServices
	40	import org.springframework.security.ui.session.HttpSessionEventPublisher
	41	import org.springframework.security.ui.switchuser.SwitchUserProcessingFilter
	42	import org.springframework.security.ui.webapp.AuthenticationProcessingFilter
	43	import org.springframework.security.util.AntUrlPathMatcher
	44	import org.springframework.security.util.PortMapperImpl
	45	import org.springframework.security.util.PortResolverImpl
	46	import org.springframework.security.util.RegexUrlPathMatcher
	47	import org.springframework.security.providers.ProviderManager
	48	import org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider
	49	import org.springframework.security.providers.anonymous.AnonymousProcessingFilter
	50	import org.springframework.security.providers.dao.cache.EhCacheBasedUserCache
	51	import org.springframework.security.providers.dao.cache.NullUserCache
	52	import org.springframework.security.providers.encoding.MessageDigestPasswordEncoder
	53	import org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
	54	import org.springframework.security.securechannel.ChannelDecisionManagerImpl
	55	import org.springframework.security.securechannel.ChannelProcessingFilter
	56	import org.springframework.security.securechannel.InsecureChannelProcessor
	57	import org.springframework.security.securechannel.RetryWithHttpEntryPoint
	58	import org.springframework.security.securechannel.RetryWithHttpsEntryPoint
	59	import org.springframework.security.securechannel.SecureChannelProcessor
	60	import org.springframework.security.util.FilterChainProxy
	61	import org.springframework.security.util.FilterToBeanProxy
	62	import org.springframework.security.vote.AuthenticatedVoter
	63	import org.springframework.security.vote.RoleVoter
	64	import org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter
	65	import org.springframework.web.filter.DelegatingFilterProxy
	66
	67	/**
	68	* Grails Spring Security 2.0 Plugin.
	69	*
	70	* @author T.Yamamoto
	71	* @author Haotian Sun
	72	* @author <a href='mailto:beckwithb@studentsonly.com'>Burt Beckwith</a>
	73	*/
	74	class AcegiGrailsPlugin {
	75
	76	private static final String DEFINITION_SOURCE_PREFIX =
	77	'CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON\n' +
	78	'PATTERN_TYPE_APACHE_ANT\n'
	79
	80	String version = '0.5.1'
	81	String author = 'Tsuyoshi Yamamoto'
	82	String authorEmail = 'tyama@xmldo.jp'
	83	String title = 'Grails Spring Security 2.0 Plugin'
	84	String description = 'Plugin to use Grails domain class and secure your applications with Spring Security filters.'
	85	String documentation = 'http://grails.org/AcegiSecurity+Plugin'
	86	List observe = ['controllers']
	87	List loadAfter = ['controllers']
	88	List watchedResources = [
	89	'file:./grails-app/controllers/*/Controller.groovy',
	90	'file:./plugins//grails-app/controllers//Controller.groovy',
	91	'file:./grails-app/conf/SecurityConfig.groovy'
	92	]
	93	Map dependsOn = [:]
	94
	95	def doWithSpring = {
	96
	97	def conf = AuthorizeTools.securityConfig.security
	98	if (!conf \|\| !conf.active) {
	99	println '[active=false] Spring Security not loaded'
	100	return
	101	}
	102
	103	println 'loading security config ...'
	104
	105	createRefList.delegate = delegate
	106
	107	/** springSecurityFilterChain */
	108	configureFilterChain.delegate = delegate
	109	configureFilterChain conf
	110
	111	// OpenID
	112	if (conf.useOpenId) {
	113	configureOpenId.delegate = delegate
	114	configureOpenId conf
	115	}
	116
	117	// Facebook Connect
	118	if (conf.useFacebook) {
	119	configureFacebook.delegate = delegate
	120	configureFacebook conf
	121	}
	122
	123	// logout
	124	configureLogout.delegate = delegate
	125	configureLogout conf
	126
	127	// Basic Auth
	128	configureBasicAuth.delegate = delegate
	129	configureBasicAuth conf
	130
	131	/** httpSessionContextIntegrationFilter */
	132	httpSessionContextIntegrationFilter(HttpSessionContextIntegrationFilter)
	133
	134	/** authenticationProcessingFilter */
	135	authenticationProcessingFilter(GrailsAuthenticationProcessingFilter) {
	136	authenticationManager = ref('authenticationManager')
	137	authenticationFailureUrl = conf.authenticationFailureUrl //'/login/authfail?login_error=1'
	138	ajaxAuthenticationFailureUrl = conf.ajaxAuthenticationFailureUrl // /login/authfail?ajax=true
	139	defaultTargetUrl = conf.defaultTargetUrl // '/'
	140	alwaysUseDefaultTargetUrl = conf.alwaysUseDefaultTargetUrl // false
	141	filterProcessesUrl = conf.filterProcessesUrl // '/j_spring_security_check'
	142	rememberMeServices = ref('rememberMeServices')
	143	authenticateService = ref('authenticateService')
	144	}
	145
	146	/** securityContextHolderAwareRequestFilter */
	147	securityContextHolderAwareRequestFilter(SecurityContextHolderAwareRequestFilter) {
	148	portResolver = ref('portResolver')
	149	}
	150
	151	/** rememberMeProcessingFilter */
	152	rememberMeProcessingFilter(RememberMeProcessingFilter) {
	153	authenticationManager = ref('authenticationManager')
	154	rememberMeServices = ref('rememberMeServices')
	155	}
	156
	157	/** rememberMeServices */
	158	if (conf.useOpenId \|\| conf.useFacebook) {
	159	// auth is external, so no password, so cookie isn't possible
	160	rememberMeServices(NullRememberMeServices)
	161	}
	162	else {
	163	rememberMeServices(TokenBasedRememberMeServices) {
	164	userDetailsService = ref('userDetailsService')
	165	key = conf.rememberMeKey
	166	cookieName = conf.cookieName
	167	alwaysRemember = conf.alwaysRemember
	168	tokenValiditySeconds = conf.tokenValiditySeconds
	169	parameter = conf.parameter
	170	}
	171	}
	172
	173	/** anonymousProcessingFilter */
	174	anonymousProcessingFilter(AnonymousProcessingFilter) {
	175	key = conf.key // 'foo'
	176	userAttribute = conf.userAttribute //'anonymousUser,ROLE_ANONYMOUS'
	177	}
	178
	179	/** exceptionTranslationFilter */
	180	exceptionTranslationFilter(ExceptionTranslationFilter) {
	181	authenticationEntryPoint = ref('authenticationEntryPoint')
	182	accessDeniedHandler = ref('accessDeniedHandler')
	183	portResolver = ref('portResolver')
	184	}
	185	accessDeniedHandler(GrailsAccessDeniedHandlerImpl) {
	186	errorPage = conf.errorPage == 'null' ? null : conf.errorPage // '/login/denied' or 403
	187	ajaxErrorPage = conf.ajaxErrorPage
	188	portResolver = ref('portResolver')
	189	if (conf.ajaxHeader) {
	190	ajaxHeader = conf.ajaxHeader //default: X-Requested-With
	191	}
	192	}
	193
	194	if (!conf.useNtlm) {
	195	authenticationEntryPoint(WithAjaxAuthenticationProcessingFilterEntryPoint) {
	196	loginFormUrl = conf.loginFormUrl // '/login/auth'
	197	forceHttps = conf.forceHttps // 'false'
	198	ajaxLoginFormUrl = conf.ajaxLoginFormUrl // '/login/authAjax'
	199	if (conf.ajaxHeader) {
	200	ajaxHeader = conf.ajaxHeader //default: X-Requested-With
	201	}
	202	portMapper = ref('portMapper')
	203	portResolver = ref('portResolver')
	204	}
	205	}
	206
	207	// voters
	208	configureVoters.delegate = delegate
	209	configureVoters conf
	210
	211	/** filterInvocationInterceptor */
	212	filterInvocationInterceptor(FilterSecurityInterceptor) {
	213	authenticationManager = ref('authenticationManager')
	214	accessDecisionManager = ref('accessDecisionManager')
	215	if (conf.useControllerAnnotations \|\| conf.useRequestMapDomainClass) {
	216	objectDefinitionSource = ref('objectDefinitionSource')
	217	}
	218	else {
	219	objectDefinitionSource = conf.requestMapString
	220	}
	221	}
	222	if (conf.useControllerAnnotations) {
	223	objectDefinitionSource(AnnotationFilterInvocationDefinition) {
	224	boolean lowercase = conf.controllerAnnotationsMatchesLowercase
	225	if ('ant'.equals(conf.controllerAnnotationsMatcher)) {
	226	urlMatcher = new AntUrlPathMatcher(lowercase)
	227	}
	228	else {
	229	urlMatcher = new RegexUrlPathMatcher(lowercase)
	230	}
	231	if (conf.controllerAnnotationsRejectIfNoRule instanceof Boolean) {
	232	rejectIfNoRule = conf.controllerAnnotationsRejectIfNoRule
	233	}
	234	}
	235	}
	236	else if (conf.useRequestMapDomainClass) {
	237	objectDefinitionSource(RequestmapFilterInvocationDefinition) {
	238	requestMapClass = conf.requestMapClass
	239	requestMapPathFieldName = conf.requestMapPathField
	240	requestMapConfigAttributeField = conf.requestMapConfigAttributeField
	241	urlMatcher = new AntUrlPathMatcher(true)
	242	}
	243	}
	244
	245	/** anonymousAuthenticationProvider */
	246	anonymousAuthenticationProvider(AnonymousAuthenticationProvider) {
	247	key = conf.key // 'foo'
	248	}
	249	/** rememberMeAuthenticationProvider */
	250	rememberMeAuthenticationProvider(RememberMeAuthenticationProvider) {
	251	key = conf.rememberMeKey
	252	}
	253
	254	// authenticationManager
	255	configureAuthenticationManager.delegate = delegate
	256	configureAuthenticationManager conf
	257
	258	/** daoAuthenticationProvider */
	259	daoAuthenticationProvider(GrailsDaoAuthenticationProvider) {
	260	userDetailsService = ref('userDetailsService')
	261	passwordEncoder = ref('passwordEncoder')
	262	userCache = ref('userCache')
	263	}
	264
	265	/** passwordEncoder */
	266	passwordEncoder(MessageDigestPasswordEncoder, conf.algorithm) {
	267	if (conf.encodeHashAsBase64) {
	268	encodeHashAsBase64 = true
	269	}
	270	}
	271
	272	// user details cache
	273	if (conf.cacheUsers) {
	274	userCache(EhCacheBasedUserCache) {
	275	cache = ref('securityUserCache')
	276	}
	277	securityUserCache(EhCacheFactoryBean) {
	278	cacheManager = ref('cacheManager')
	279	cacheName = 'userCache'
	280	}
	281	cacheManager(EhCacheManagerFactoryBean)
	282	}
	283	else {
	284	userCache(NullUserCache)
	285	}
	286
	287	/** userDetailsService */
	288	userDetailsService(GrailsDaoImpl) {
	289	usernameFieldName = conf.userName
	290	passwordFieldName = conf.password
	291	enabledFieldName = conf.enabled
	292	authorityFieldName = conf.authorityField
	293	loginUserDomainClass = conf.loginUserDomainClass
	294	relationalAuthoritiesField = conf.relationalAuthorities
	295	authoritiesMethodName = conf.getAuthoritiesMethod
	296	sessionFactory = ref('sessionFactory')
	297	authenticateService = ref('authenticateService')
	298	}
	299
	300	/** loggerListener ( log4j.logger.org.springframework.security=info,stdout ) */
	301	if (conf.useLogger) {
	302	loggerListener(LoggerListener)
	303	}
	304
	305	// port mappings for channel security, etc.
	306	portMapper(PortMapperImpl) {
	307	portMappings = [(conf.httpPort.toString()) : conf.httpsPort.toString()]
	308	}
	309	portResolver(PortResolverImpl) {
	310	portMapper = portMapper
	311	}
	312
	313	daacc(DefaultAdvisorAutoProxyCreator)
	314
	315	// experiment on Annotation and MethodSecurityInterceptor for secure services
	316	configureAnnotatedServices.delegate = delegate
	317	configureAnnotatedServices conf
	318
	319	// simple email service
	320	configureMail.delegate = delegate
	321	configureMail conf
	322
	323	// Switch User
	324	if (conf.switchUserProcessingFilter) {
	325	switchUserProcessingFilter(SwitchUserProcessingFilter) {
	326	userDetailsService = ref('userDetailsService')
	327	switchUserUrl = conf.swswitchUserUrl
	328	exitUserUrl = conf.swexitUserUrl
	329	targetUrl = conf.swtargetUrl
	330	}
	331	}
	332
	333	// LDAP
	334	if (conf.useLdap) {
	335	configureLdap.delegate = delegate
	336	configureLdap conf
	337	}
	338
	339	// SecurityEventListener
	340	securityEventListener(SecurityEventListener) {
	341	authenticateService = ref('authenticateService')
	342	}
	343
	344	// Kerberos
	345	if (conf.useKerberos) {
	346	configureKerberos.delegate = delegate
	347	configureKerberos conf
	348	}
	349
	350	// NTLM
	351	if (conf.useNtlm) {
	352	configureNtlm.delegate = delegate
	353	configureNtlm conf
	354	}
	355
	356	// CAS
	357	if (conf.useCAS) {
	358	configureCAS.delegate = delegate
	359	configureCAS conf
	360	}
	361
	362	// channel (http/https) security
	363	if (useSecureChannel(conf)) {
	364	configureChannelProcessingFilter.delegate = delegate
	365	configureChannelProcessingFilter conf
	366	}
	367
	368	// IP filter
	369	if (conf.ipRestrictions) {
	370	configureIpFilter.delegate = delegate
	371	configureIpFilter conf
	372	}
	373	}
	374
	375	private boolean useSecureChannel(conf) {
	376	return conf.secureChannelDefinitionSource \|\| conf.channelConfig.secure \|\| conf.channelConfig.insecure
	377	}
	378
	379	// OpenID
	380	private def configureOpenId = { conf ->
	381	openIDAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.openid.GrailsOpenIdAuthenticationProvider) {
	382	userDetailsService = ref('userDetailsService')
	383	}
	384	openIDStore(org.openid4java.consumer.InMemoryConsumerAssociationStore)
	385	openIDNonceVerifier(org.openid4java.consumer.InMemoryNonceVerifier, conf.openIdNonceMaxSeconds) // 300 seconds
	386	openIDConsumerManager(org.openid4java.consumer.ConsumerManager) {
	387	nonceVerifier = openIDNonceVerifier
	388	}
	389	openIDConsumer(org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer, openIDConsumerManager)
	390	openIDAuthenticationProcessingFilter(org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter) {
	391	authenticationManager = ref('authenticationManager')
	392	authenticationFailureUrl = conf.authenticationFailureUrl //'/login/authfail?login_error=1' // /spring_security_login?login_error
	393	defaultTargetUrl = conf.defaultTargetUrl // '/'
	394	filterProcessesUrl = '/j_spring_openid_security_check' // not configurable
	395	rememberMeServices = ref('rememberMeServices')
	396	consumer = openIDConsumer
	397	}
	398	}
	399
	400	// Facebook
	401	private def configureFacebook = { conf ->
	402	facebookAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.facebook.FacebookAuthenticationProvider) {
	403	userDetailsService = ref('userDetailsService')
	404	}
	405	facebookAuthenticationProcessingFilter(org.codehaus.groovy.grails.plugins.springsecurity.facebook.FacebookAuthenticationProcessingFilter) {
	406	authenticationManager = ref('authenticationManager')
	407	authenticationFailureUrl = conf.authenticationFailureUrl //'/login/authfail?login_error=1' // /spring_security_login?login_error
	408	defaultTargetUrl = conf.defaultTargetUrl // '/'
	409	filterProcessesUrl = conf.facebook.filterProcessesUrl // '/j_spring_facebook_security_check'
	410	apiKey = conf.facebook.apiKey
	411	secretKey = conf.facebook.secretKey
	412	authenticationUrlRoot = conf.facebook.authenticationUrlRoot // http://www.facebook.com/login.php?v=1.0&api_key=
	413	rememberMeServices = ref('rememberMeServices')
	414	}
	415	facebookLogoutHandler(org.codehaus.groovy.grails.plugins.springsecurity.facebook.FacebookLogoutHandler) {
	416	apiKey = conf.facebook.apiKey
	417	}
	418	}
	419
	420	private def configureCAS = { conf ->
	421	String casHost = conf.cas.casServer ?: 'localhost'
	422	int casPort = (conf.cas.casServerPort ?: '443').toInteger()
	423	String casFilterProcessesUrl = conf.cas.filterProcessesUrl ?: '/j_spring_cas_security_check'
	424	boolean sendRenew = Boolean.valueOf(conf.cas.sendRenew ?: false)
	425	String proxyReceptorUrl = conf.cas.proxyReceptorUrl ?: '/secure/receptor'
	426	String applicationHost = System.getProperty('server.host') ?: 'localhost'
	427	int applicationPort = (System.getProperty('server.port') ?: 8080).toInteger()
	428	String appName = application.metadata['app.name']
	429	String casHttp = conf.cas.casServerSecure ? 'https' : 'http'
	430	String localHttp = conf.cas.localhostSecure ? 'https' : 'http'
	431
	432	proxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl)
	433
	434	casProcessingFilter(org.springframework.security.ui.cas.CasProcessingFilter) {
	435	authenticationManager = ref('authenticationManager')
	436	authenticationFailureUrl = conf.cas.failureURL ?: '/denied.jsp'
	437	defaultTargetUrl = conf.cas.defaultTargetURL ?: '/'
	438	filterProcessesUrl = casFilterProcessesUrl
	439	proxyGrantingTicketStorage = proxyGrantingTicketStorage
	440	proxyReceptorUrl = proxyReceptorUrl
	441	}
	442
	443	casServiceProperties(org.springframework.security.ui.cas.ServiceProperties) {
	444	service = "$localHttp://$applicationHost:$applicationPort/$appName$casFilterProcessesUrl"
	445	sendRenew = sendRenew
	446	}
	447
	448	String casLoginURL = conf.cas.fullLoginURL ?: "$casHttp://$casHost:$casPort/cas/login"
	449	authenticationEntryPoint(org.springframework.security.ui.cas.CasProcessingFilterEntryPoint) {
	450	loginUrl = casLoginURL
	451	serviceProperties = casServiceProperties
	452	}
	453
	454	String casServiceURL = conf.cas.fullServiceURL ?: "$casHttp://$casHost:$casPort/cas"
	455	cas20ServiceTicketValidator(org.jasig.cas.client.validation.Cas20ServiceTicketValidator, casServiceURL) {
	456	proxyGrantingTicketStorage = proxyGrantingTicketStorage
	457	proxyCallbackUrl = "$localHttp://$applicationHost:$applicationPort/$appName$proxyReceptorUrl"
	458	}
	459
	460	// the CAS authentication provider key doesn't need to be anything special, it just identifies individual providers
	461	// so that they can identify tokens it previously authenticated
	462	String casAuthenticationProviderKey = conf.cas.authenticationProviderKey ?: appName + System.currentTimeMillis()
	463	casAuthenticationProvider(org.springframework.security.providers.cas.CasAuthenticationProvider) {
	464	userDetailsService = ref(conf.cas.userDetailsService ?: 'userDetailsService')
	465	serviceProperties = casServiceProperties
	466	ticketValidator = cas20ServiceTicketValidator
	467	key = casAuthenticationProviderKey
	468	}
	469	}
	470
	471	private def configureLogout = { conf ->
	472
	473	securityContextLogoutHandler(SecurityContextLogoutHandler)
	474	def logoutHandlerNames = conf.logoutHandlerNames
	475	if (!logoutHandlerNames) {
	476	logoutHandlerNames = []
	477	if (conf.useFacebook) {
	478	logoutHandlerNames << 'facebookLogoutHandler'
	479	}
	480	else if (!conf.useOpenId) {
	481	logoutHandlerNames << 'rememberMeServices'
	482	}
	483	logoutHandlerNames << 'securityContextLogoutHandler'
	484	}
	485
	486	def logoutHandlers = createRefList(logoutHandlerNames)
	487	def afterLogoutUrl = conf.afterLogoutUrl // '/'
	488
	489	/** logoutFilter */
	490	logoutFilter(LogoutFilterFactoryBean) {
	491	logoutSuccessUrl = afterLogoutUrl
	492	handlers = logoutHandlers
	493	}
	494	}
	495
	496	private def configureBasicAuth = { conf ->
	497
	498	basicProcessingFilterEntryPoint(BasicProcessingFilterEntryPoint) {
	499	realmName = conf.realmName // 'Grails Realm'
	500	}
	501	basicProcessingFilter(BasicProcessingFilter) {
	502	authenticationManager = ref('authenticationManager')
	503	authenticationEntryPoint = basicProcessingFilterEntryPoint
	504	}
	505	}
	506
	507	private def configureVoters = { conf ->
	508
	509	roleVoter(RoleVoter)
	510
	511	authenticatedVoter(AuthenticatedVoter)
	512
	513	def decisionVoterNames = conf.decisionVoterNames
	514	if (!decisionVoterNames) {
	515	decisionVoterNames = ['authenticatedVoter', 'roleVoter']
	516	}
	517	def decisionVoterList = createRefList(decisionVoterNames)
	518	/** accessDecisionManager */
	519	accessDecisionManager(AuthenticatedVetoableDecisionManager) {
	520	allowIfAllAbstainDecisions = false
	521	decisionVoters = decisionVoterList
	522	}
	523	}
	524
	525	private def configureAuthenticationManager = { conf ->
	526
	527	def providerNames = conf.providerNames
	528	if (!providerNames) {
	529	providerNames = []
	530	if (conf.useKerberos) {
	531	providerNames << 'kerberosAuthProvider'
	532	}
	533	if (conf.useCAS) {
	534	providerNames << 'casAuthenticationProvider'
	535	}
	536	if (conf.useLdap) {
	537	providerNames << 'ldapAuthProvider'
	538	}
	539	if (conf.useFacebook) {
	540	providerNames << 'facebookAuthProvider'
	541	}
	542
	543	if (providerNames.empty) {
	544	providerNames << 'daoAuthenticationProvider'
	545	if (conf.useOpenId) {
	546	providerNames << 'openIDAuthProvider'
	547	}
	548	}
	549
	550	providerNames << 'anonymousAuthenticationProvider'
	551	providerNames << 'rememberMeAuthenticationProvider'
	552	}
	553
	554	def providerList = createRefList(providerNames)
	555	/** authenticationManager */
	556	authenticationManager(ProviderManager) {
	557	providers = providerList
	558	}
	559	}
	560
	561	private def configureAnnotatedServices = { conf ->
	562
	563	serviceSecureAnnotation(SecurityAnnotationAttributes)
	564
	565	serviceSecureAnnotationODS(MethodDefinitionAttributes) {
	566	attributes = serviceSecureAnnotation
	567	}
	568
	569	/** securityInteceptor */
	570	securityInteceptor(QuietMethodSecurityInterceptor) {
	571	validateConfigAttributes = false
	572	authenticationManager = ref('authenticationManager')
	573	accessDecisionManager = ref('accessDecisionManager')
	574	objectDefinitionSource = serviceSecureAnnotationODS
	575	throwException = true
	576	}
	577
	578	// load Services which have Annotations
	579	application.serviceClasses.each { serviceClass ->
	580	if (hasAnnotation(serviceClass.clazz)) {
	581	"${serviceClass.propertyName}Sec"(BeanNameAutoProxyCreator) {
	582	beanNames = serviceClass.propertyName
	583	interceptorNames = ['securityInteceptor']
	584	proxyTargetClass = true
	585	}
	586	}
	587	}
	588	}
	589
	590	private def configureMail = { conf ->
	591
	592	if (conf.useMail) {
	593	mailSender(org.springframework.mail.javamail.JavaMailSenderImpl) {
	594	host = conf.mailHost
	595	username = conf.mailUsername
	596	password = conf.mailPassword
	597	protocol = conf.mailProtocol
	598	port = conf.mailPort
	599	if (conf.javaMailProperties) {
	600	javaMailProperties = conf.javaMailProperties as Properties
	601	}
	602	}
	603
	604	mailMessage(org.springframework.mail.SimpleMailMessage) {
	605	from = conf.mailFrom
	606	}
	607	}
	608	}
	609
	610	private def configureLdap = { conf ->
	611
	612	contextSource(org.springframework.security.ldap.DefaultSpringSecurityContextSource, conf.ldapServer) {
	613	userDn = conf.ldapManagerDn
	614	password = conf.ldapManagerPassword
	615	}
	616
	617	ldapUserSearch(org.springframework.security.ldap.search.FilterBasedLdapUserSearch,
	618	conf.ldapSearchBase, conf.ldapSearchFilter, contextSource) {
	619	searchSubtree = conf.ldapSearchSubtree
	620	}
	621
	622	ldapAuthenticator(org.springframework.security.providers.ldap.authenticator.BindAuthenticator,
	623	contextSource) {
	624	userSearch = ldapUserSearch
	625	}
	626
	627	ldapUserDetailsMapper(org.codehaus.groovy.grails.plugins.springsecurity.ldap.GrailsLdapUserDetailsMapper) {
	628	userDetailsService = ref('userDetailsService')
	629	passwordAttributeName = conf.ldapPasswordAttributeName // 'userPassword'
	630	usePassword = conf.ldapUsePassword // true
	631	retrieveDatabaseRoles = conf.ldapRetrieveDatabaseRoles // false
	632	}
	633
	634	if (conf.ldapRetrieveGroupRoles) {
	635	ldapAuthoritiesPopulator(org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator,
	636	contextSource, conf.ldapGroupSearchBase) {
	637	groupRoleAttribute = conf.ldapGroupRoleAttribute
	638	groupSearchFilter = conf.ldapGroupSearchFilter
	639	searchSubtree = conf.ldapSearchSubtree
	640	}
	641	ldapAuthProvider(org.springframework.security.providers.ldap.LdapAuthenticationProvider,
	642	ldapAuthenticator, ldapAuthoritiesPopulator) {
	643	userDetailsContextMapper = ldapUserDetailsMapper
	644	}
	645	}
	646	else {
	647	// use the NullAuthoritiesPopulator
	648	ldapAuthProvider(org.springframework.security.providers.ldap.LdapAuthenticationProvider,
	649	ldapAuthenticator) {
	650	userDetailsContextMapper = ldapUserDetailsMapper
	651	}
	652	}
	653	}
	654
	655	private def configureKerberos = { conf ->
	656
	657	jaasNameCallbackHandler(org.springframework.security.providers.jaas.JaasNameCallbackHandler)
	658
	659	jaasPasswordCallbackHandler(org.springframework.security.providers.jaas.JaasPasswordCallbackHandler)
	660
	661	kerberosAuthProvider(org.codehaus.groovy.grails.plugins.springsecurity.kerberos.GrailsKerberosAuthenticationProvider) {
	662	authenticateService = ref('authenticateService')
	663	userDetailsService = ref('userDetailsService')
	664	loginConfig = conf.kerberosLoginConfigFile
	665	loginContextName = 'KrbAuthentication'
	666	callbackHandlers = [jaasNameCallbackHandler, jaasPasswordCallbackHandler]
	667	authorityGranters = []
	668	}
	669
	670	//TODO: Improve
	671	System.setProperty('java.security.krb5.realm', conf.kerberosRealm)
	672	System.setProperty('java.security.krb5.kdc', conf.kerberosKdc)
	673	}
	674
	675	private def configureNtlm = { conf ->
	676
	677	ntlmFilter(org.springframework.security.ui.ntlm.NtlmProcessingFilter) {
	678	stripDomain = conf.ntlm.stripDomain // true
	679	retryOnAuthFailure = conf.ntlm.retryOnAuthFailure // true
	680	defaultDomain = conf.ntlm.defaultDomain
	681	netbiosWINS = conf.ntlm.netbiosWINS
	682	forceIdentification = conf.ntlm.forceIdentification // false
	683	authenticationManager = ref('authenticationManager')
	684	}
	685
	686	authenticationEntryPoint(org.codehaus.groovy.grails.plugins.springsecurity.GrailsNtlmProcessingFilterEntryPoint) {
	687	authenticationFailureUrl = conf.authenticationFailureUrl
	688	}
	689	}
	690
	691	private def configureFilterChain = { conf ->
	692
	693	def filterNames = conf.filterNames
	694	if (!filterNames) {
	695	filterNames = []
	696
	697	if (useSecureChannel(conf)) {
	698	filterNames << 'channelProcessingFilter' // CHANNEL_FILTER
	699	}
	700
	701	// CONCURRENT_SESSION_FILTER
	702
	703	filterNames << 'httpSessionContextIntegrationFilter' // HTTP_SESSION_CONTEXT_FILTER
	704
	705	filterNames << 'logoutFilter' // LOGOUT_FILTER
	706
	707	if (conf.ipRestrictions) {
	708	filterNames << 'ipAddressFilter'
	709	}
	710
	711	// X509_FILTER
	712
	713	// PRE_AUTH_FILTER
	714
	715	if (conf.useCAS) {
	716	filterNames << 'casProcessingFilter' // CAS_PROCESSING_FILTER
	717	}
	718
	719	filterNames << 'authenticationProcessingFilter' // AUTHENTICATION_PROCESSING_FILTER
	720
	721	if (conf.useOpenId) {
	722	filterNames << 'openIDAuthenticationProcessingFilter' // OPENID_PROCESSING_FILTER
	723	}
	724
	725	if (conf.useFacebook) {
	726	filterNames << 'facebookAuthenticationProcessingFilter'
	727	}
	728
	729	// LOGIN_PAGE_FILTER
	730
	731	if (conf.basicProcessingFilter) {
	732	filterNames << 'basicProcessingFilter' // BASIC_PROCESSING_FILTER
	733	}
	734
	735	if (!conf.useNtlm) {
	736	// seems to remove NTLM authentication tokens
	737	filterNames << 'securityContextHolderAwareRequestFilter' // SERVLET_API_SUPPORT_FILTER
	738	}
	739
	740	filterNames << 'rememberMeProcessingFilter' // REMEMBER_ME_FILTER
	741
	742	filterNames << 'anonymousProcessingFilter' // ANONYMOUS_FILTER
	743
	744	filterNames << 'exceptionTranslationFilter' // EXCEPTION_TRANSLATION_FILTER
	745
	746	if (conf.useNtlm) {
	747	filterNames << 'ntlmFilter' // NTLM_FILTER
	748	}
	749
	750	// SESSION_FIXATION_FILTER
	751
	752	filterNames << 'filterInvocationInterceptor' // FILTER_SECURITY_INTERCEPTOR
	753
	754	if (conf.switchUserProcessingFilter) {
	755	filterNames << 'switchUserProcessingFilter' // SWITCH_USER_FILTER
	756	}
	757	}
	758	String joinedFilters = filterNames.join(',')
	759
	760	String definitionSource
	761	if (conf.filterInvocationDefinitionSource) {
	762	// if the entire string is set in the config, use that
	763	definitionSource = conf.filterInvocationDefinitionSource
	764	}
	765	else if (conf.filterInvocationDefinitionSourceMap) {
	766	// otherwise if there's a map of configs, use those
	767	definitionSource = DEFINITION_SOURCE_PREFIX
	768	conf.filterInvocationDefinitionSourceMap.each { key, value ->
	769	if (value == 'JOINED_FILTERS') {
	770	// special case to use either the filters defined by
	771	// conf.filterNames or the filters defined by config settings
	772	value = joinedFilters
	773	}
	774	definitionSource += "$key=$value\n"
	775	}
	776	}
	777	else {
	778	// otherwise build the default string - all urls guarded by all filters
	779	definitionSource = "$DEFINITION_SOURCE_PREFIX\n/**=$joinedFilters"
	780	}
	781	springSecurityFilterChain(FilterChainProxy) {
	782	filterInvocationDefinitionSource = definitionSource
	783	}
	784	}
	785
	786	private def configureChannelProcessingFilter = { conf ->
	787
	788	retryWithHttpEntryPoint(RetryWithHttpEntryPoint) {
	789	portMapper = ref('portMapper')
	790	portResolver = ref('portResolver')
	791	}
	792
	793	retryWithHttpsEntryPoint(RetryWithHttpsEntryPoint) {
	794	portMapper = ref('portMapper')
	795	portResolver = ref('portResolver')
	796	}
	797
	798	secureChannelProcessor(SecureChannelProcessor) {
	799	entryPoint = retryWithHttpsEntryPoint
	800	}
	801
	802	insecureChannelProcessor(InsecureChannelProcessor) {
	803	entryPoint = retryWithHttpEntryPoint
	804	}
	805
	806	channelDecisionManager(ChannelDecisionManagerImpl) {
	807	channelProcessors = [insecureChannelProcessor, secureChannelProcessor]
	808	}
	809
	810	String definitionSource
	811	if (conf.secureChannelDefinitionSource) {
	812	// if the entire string is set in the config, use that
	813	definitionSource = conf.secureChannelDefinitionSource
	814	}
	815	else {
	816	definitionSource = DEFINITION_SOURCE_PREFIX
	817	conf.channelConfig.secure.each { pattern ->
	818	definitionSource += "$pattern=REQUIRES_SECURE_CHANNEL\n"
	819	}
	820	conf.channelConfig.insecure.each { pattern ->
	821	definitionSource += "$pattern=REQUIRES_INSECURE_CHANNEL\n"
	822	}
	823	}
	824	channelProcessingFilter(ChannelProcessingFilter) {
	825	channelDecisionManager = channelDecisionManager
	826	filterInvocationDefinitionSource = definitionSource
	827	}
	828	}
	829
	830	private def configureIpFilter = { conf ->
	831	ipAddressFilter(IpAddressFilter) {
	832	ipRestrictions = conf.ipRestrictions
	833	}
	834	}
	835
	836	def doWithApplicationContext = { ctx ->
	837	// nothing to do
	838	}
	839
	840	def doWithWebDescriptor = { xml ->
	841
	842	def conf = AuthorizeTools.securityConfig.security
	843	if (!conf \|\| !conf.active) {
	844	return
	845	}
	846
	847	// we add the filter(s) right after the last context-param
	848	def contextParam = xml.'context-param'
	849
	850	// the name of the filter matches the name of the Spring bean that it delegates to
	851	contextParam[contextParam.size() - 1] + {
	852	'filter' {
	853	'filter-name'('springSecurityFilterChain')
	854	'filter-class'(DelegatingFilterProxy.name)
	855	}
	856	}
	857
	858	// add the filter-mapping after the Spring character encoding filter
	859	findMappingLocation.delegate = delegate
	860	def mappingLocation = findMappingLocation(xml)
	861	mappingLocation + {
	862	'filter-mapping'{
	863	'filter-name'('springSecurityFilterChain')
	864	'url-pattern'('/*')
	865	}
	866	}
	867
	868	if (conf.useHttpSessionEventPublisher) {
	869	def filterMapping = xml.'filter-mapping'
	870	filterMapping[filterMapping.size() - 1] + {
	871	'listener' {
	872	'listener-class'(HttpSessionEventPublisher.name)
	873	}
	874	}
	875	}
	876	}
	877
	878	private def findMappingLocation = { xml ->
	879
	880	// find the location to insert the filter-mapping; needs to be after the 'charEncodingFilter'
	881	// which may not exist. should also be before the sitemesh filter.
	882	// thanks to the JSecurity plugin for the logic.
	883
	884	def mappingLocation = xml.'filter-mapping'.find { it.'filter-name'.text() == 'charEncodingFilter' }
	885	if (mappingLocation) {
	886	return mappingLocation
	887	}
	888
	889	// no 'charEncodingFilter'; try to put it before sitemesh
	890	int i = 0
	891	int siteMeshIndex = -1
	892	xml.'filter-mapping'.each {
	893	if (it.'filter-name'.text().equalsIgnoreCase('sitemesh')) {
	894	siteMeshIndex = i
	895	}
	896	i++
	897	}
	898	if (siteMeshIndex > 0) {
	899	return xml.'filter-mapping'[siteMeshIndex - 1]
	900	}
	901
	902	if (siteMeshIndex == 0 \|\| xml.'filter-mapping'.size() == 0) {
	903	def filters = xml.'filter'
	904	return filters[filters.size() - 1]
	905	}
	906
	907	// neither filter found
	908	def filters = xml.'filter'
	909	return filters[filters.size() - 1]
	910	}
	911
	912	def doWithDynamicMethods = { ctx ->
	913
	914	def conf = AuthorizeTools.securityConfig.security
	915	if (!conf \|\| !conf.active) {
	916	return
	917	}
	918
	919	for (controllerClass in application.controllerClasses) {
	920	addControllerMethods controllerClass.metaClass
	921	}
	922
	923	if (conf.useControllerAnnotations) {
	924	ctx.objectDefinitionSource.initialize conf.controllerAnnotationStaticRules,
	925	ctx.grailsUrlMappingsHolder, application.controllerClasses
	926	}
	927	}
	928
	929	def onChange = { event ->
	930
	931	def conf = AuthorizeTools.securityConfig.security
	932	if (!conf \|\| !conf.active) {
	933	return
	934	}
	935
	936	def ctx = event.ctx
	937	if (event.source && ctx && event.application) {
	938	boolean isControllerClass = application.isControllerClass(event.source)
	939	boolean configChanged = 'SecurityConfig'.equals(event.source.name)
	940	if (configChanged \|\| isControllerClass) {
	941	if (conf.useControllerAnnotations) {
	942	ctx.objectDefinitionSource.initialize conf.controllerAnnotationStaticRules,
	943	ctx.grailsUrlMappingsHolder, application.controllerClasses
	944	}
	945	if (isControllerClass) {
	946	addControllerMethods application.getControllerClass(event.source.name).metaClass
	947	}
	948	}
	949	}
	950	}
	951
	952	def onApplicationChange = { event ->
	953	// nothing to do
	954	}
	955
	956	private void addControllerMethods(MetaClass mc) {
	957	mc.getAuthUserDomain = {
	958	def principal = SCH.context?.authentication?.principal
	959	if (principal != null && principal != 'anonymousUser') {
	960	return principal?.domainClass
	961	}
	962
	963	return null
	964	}
	965
	966	mc.getPrincipalInfo = {
	967	return SCH.context?.authentication?.principal
	968	}
	969
	970	mc.isUserLogon = {
	971	def principal = SCH.context?.authentication?.principal
	972	return principal != null && principal != 'anonymousUser'
	973	}
	974	}
	975
	976	private boolean hasAnnotation(serviceClass) {
	977	for (method in serviceClass.methods) {
	978	if (method.isAnnotationPresent(SecuredService)) {
	979	return true
	980	}
	981	}
	982
	983	return false
	984	}
	985
	986	private def createRefList = { names ->
	987	names.collect { name -> ref(name) }
	988	}
	989	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: