grails-spring-security-core
grails-spring-security-core copied to clipboard
grails
In a Grails multi-project, there are errors when the User/Role domain classes are in a separate plugin subproject
Our team has a new Grails 3.3.9 multi-project. This issue manifests almost exactly like grails/grails-spring-security-ui#56 but the work-around suggested there did not work. Ultimately, copying the Domain classes from myplugin into the myweb subproject fixed the issue. However, we want our Domain classes, including those for Spring Security (SecUser and SecRole) to reside in the shared plugin.
Task List
- [x] Steps to reproduce provided
- [x] Stacktrace (if present) provided
- [x] Example that reproduces the problem uploaded to Github
- [x] Full description of the issue provided (see below)
Steps to Reproduce
NOTE: If you clone the repo below, you can start with step 4
- Setup a Grails multi-project as detailed in this article: http://www.databaseapplications.com.au/grails-multi-app.jsp
- Add s2ui to the myweb subproject
compile 'org.grails.plugins:spring-security-ui:3.1.2' - Generate Controllers and crud gsps with s2ui-override command line:
grails s2ui-override authgrails s2ui-override layoutgrails s2ui-override role com.example(replace existing controller from earlier generate-all)grails s2ui-override user com.example(replace existing controller from earlier generate-all)
cd myweb; grails run-app- Login to the app with user
adminand passwordstrongPassword. - Navigate to
/role/createor/user/create
Expected Behaviour
Create Role and Create User pages should load without error
Actual Behaviour
Error 500: Internal Server Error
URI
/role/create
Class
org.codehaus.groovy.runtime.powerassert.PowerAssertionError
Message
Request processing failed; nested exception is org.grails.gsp.GroovyPagesException: Error processing GroovyPageView: [views/role/create.gsp:21] Error executing tag <s2ui:formContainer>: assert bean | null
Caused by
assert bean | null
Full trace from grails:
Line | Method
->> 473 | createGroovyPageException in /Users/dgoodman/git/atomic-mole/web-admin/grails-app/views/role/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Caused by GrailsTagException: [views/role/create.gsp:21] Error executing tag <s2ui:formContainer>: assert bean
|
null
->> 21 | throwRootCause in views/role/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Caused by PowerAssertionError: assert bean
|
null
->> 312 | doCall in grails.plugin.springsecurity.ui.SecurityUiTagLib$_closure10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 446 | invokeTagLibClosure in org.grails.gsp.GroovyPage
| 364 | invokeTag . . . . . . . . . in ''
| 39 | doCall in Users_dgoodman_git_atomic_mole_web_admin_grails_app_views_role_create_gsp$_run_closure2
| 200 | executeClosure . . . . . . . in org.grails.taglib.TagBodyClosure
| 102 | captureClosureOutput in ''
| 213 | call . . . . . . . . . . . . in ''
| 48 | captureTagContent in org.grails.plugins.web.taglib.SitemeshTagLib
| 156 | doCall . . . . . . . . . . . in org.grails.plugins.web.taglib.SitemeshTagLib$_closure3
| 446 | invokeTagLibClosure in org.grails.gsp.GroovyPage
| 364 | invokeTag . . . . . . . . . in ''
| 42 | run in Users_dgoodman_git_atomic_mole_web_admin_grails_app_views_role_create_gsp
| 162 | doWriteTo . . . . . . . . . in org.grails.gsp.GroovyPageWritable
| 82 | writeTo in ''
| 76 | renderTemplate . . . . . . . in org.grails.web.servlet.view.GroovyPageView
| 71 | renderWithinGrailsWebRequest in org.grails.web.servlet.view.AbstractGrailsView
| 55 | renderMergedOutputModel . . in ''
| 304 | render in org.springframework.web.servlet.view.AbstractView
| 150 | renderInnerView . . . . . . in org.grails.web.sitemesh.GrailsLayoutView
| 128 | obtainContent in ''
| 63 | renderTemplate . . . . . . . in ''
| 71 | renderWithinGrailsWebRequest in org.grails.web.servlet.view.AbstractGrailsView
| 55 | renderMergedOutputModel . . in ''
| 304 | render in org.springframework.web.servlet.view.AbstractView
| 1286 | render . . . . . . . . . . . in org.springframework.web.servlet.DispatcherServlet
| 1041 | processDispatchResult in ''
| 984 | doDispatch . . . . . . . . . in ''
| 901 | doService in ''
| 970 | processRequest . . . . . . . in org.springframework.web.servlet.FrameworkServlet
| 861 | doGet in ''
| 846 | service . . . . . . . . . . in ''
| 55 | doFilterInternal in org.springframework.boot.web.filter.ApplicationContextHeaderFilter
| 317 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 127 | invoke in org.springframework.security.web.access.intercept.FilterSecurityInterceptor
| 91 | doFilter . . . . . . . . . . in ''
| 331 | doFilter in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 114 | doFilter . . . . . . . . . . in org.springframework.security.web.access.ExceptionTranslationFilter
| 64 | doFilter in grails.plugin.springsecurity.web.UpdateRequestContextHolderExceptionTranslationFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 54 | doFilter in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 158 | doFilter in org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 170 | doFilter in org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 200 | doFilter in org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 64 | doFilter in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 105 | doFilter in org.springframework.security.web.context.SecurityContextPersistenceFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 58 | doFilter in grails.plugin.springsecurity.web.SecurityRequestHolderFilter
| 331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
| 214 | doFilterInternal in org.springframework.security.web.FilterChainProxy
| 177 | doFilter . . . . . . . . . . in ''
| 77 | doFilterInternal in org.grails.web.servlet.mvc.GrailsWebRequestFilter
| 67 | doFilterInternal . . . . . . in org.grails.web.filters.HiddenHttpMethodFilter
| 1142 | runWorker in java.util.concurrent.ThreadPoolExecutor
| 617 | run . . . . . . . . . . . . in java.util.concurrent.ThreadPoolExecutor$Worker
^ 745 | run in java.lang.Thread
Environment Information
- Operating System: Mac OS 10.11.3
- GORM Version: 6.1.11.RELEASE
- Grails Version (if using Grails): 3.3.9
- Groovy Version: 2.4.15
- JDK Version: 1.8.0_11
Example Application
- https://github.com/dgoodman-idea/s2ui-domain-class-issue
I have an idea of what the cause would be and was wondering if you'd like to test out my theory?
I believe the issue may be that the plugin is dependent upon the grails-spring-security-core plugin while the app is dependent upon the grails-spring-security-ui plugin.
I believe both of the dependencies on grails-spring-security-core and grails-spring-security-ui should reside within the application, that would be myweb in your case.
All security related domain classes (SecRole, SecUser and SecUserSecRole), controllers, services, (etc) and config should also reside in the application, myweb.
The endpoints, including those in your plugin, may then be locked down by either annotating the controllers themselves or modifying application.groovy with the desired patterns and accesses. Make sure to include the role controller in the static rules if you wish to provide access to users.
Please let me know if these changes work for you.
Thanks for replying! Does your theory involve the possibility that the web app and the plugin might end up depending on different versions of grails-spring-security-core through transient dependencies?
My example is oversimplified, separating domain classes from a simple UI app. Our actual use case is more complex, with multiple web apps relying on the same security infrastructure. I was hoping not to have to duplicate domain classes in each web app.
In fact, right now my work-around is to copy the domain classes SecUser, SecRole, and SecUserSecRole into the web app. So, I already know that putting those into the web app resolves the issue. I'll try what you ask with the dependencies as well and see what difference that makes.
@dgoodman-idea, I have a solution for you.
The issue does, in fact, appear to be a configuration problem.
Access to URLs may be configured in one of three ways:
@Securedannotations. This is the default approach- A simple Map in
application.groovyorapplication.yml RequestMapdomain class instances stored in the database
Your example application is using the @Secured annotations approach by default. As a result, requests to access the role or user controllers are denied because those controllers are not annotated with @Secured in the grails-spring-security-ui source code.
The approach I recommend you take with your app is to use either the simple map or RequestMap approach.
To use the simple map approach to enable access to the user controller for all users, modify your application.yml as follows:
grails:
plugin:
springsecurity:
securityConfigType: 'InterceptUrlMap'
userLookup.userDomainClassName: 'com.example.SecUser'
userLookup.authorityJoinClassName: 'com.example.SecUserSecRole'
authority.className: 'com.example.SecRole'
interceptUrlMap:
- pattern: '/'
access: ['permitAll']
- pattern: '/console/**'
access: ['permitAll']
- pattern: '/static/console/**'
access: ['permitAll']
- pattern: '/index'
access: ['permitAll']
- pattern: '/index.gsp'
access: ['permitAll']
- pattern: '/error'
access: ['permitAll']
- pattern: '/user/denied'
access: ['permitAll']
- pattern: '/assets/**'
access: ['permitAll']
- pattern: '/**/js/**'
access: ['permitAll']
- pattern: '/**/css/**'
access: ['permitAll']
- pattern: '/**/images/**'
access: ['permitAll']
- pattern: '/user/**'
access: ['permitAll']
Please note, I modified your config by:
- setting the
SecurityConfigTypeto beInterceptUrlMapinstead of the defaultAnnotation - added
patternandaccessvalues for theUserController
I verified this approach allows access to the UserController.
You will need to add additional patterns and accesses for your other controller endpoints and probably modify my example to lock down access to UserController :)
More information is available at https://grails-plugins.github.io/grails-spring-security-core/3.2.x/index.html#requestMappings
Please let me know if this correctly addresses your issue! Thanks!
@ddelponte I applied the changes you suggested and it still only works if I copy the domain classes into the myweb subproject. My original goal was to allow the domain classes to reside in a plugin subproject. I still get the failed assert:
->> 473 | createGroovyPageException in /Users/dgoodman/git/s2ui-domain-class-issue/myweb/grails-app/views/user/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Caused by GrailsTagException: [views/user/create.gsp:35] Error executing tag <s2ui:form>: assert bean
|
null
->> 35 | throwRootCause in views/user/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Caused by PowerAssertionError: assert bean
|
null
->> 276 | extractFormBean in grails.plugin.springsecurity.ui.SecurityUiTagLib
Is there something about SecurityUiTagLib that wouldn't be able to access a bean in another subproject? Maybe a classloader issue?