In a Grails multi-project, there are errors when the User/Role domain classes are in a separate plugin subproject about grails-spring-security-ui HOT 4 OPEN

I have an idea of what the cause would be and was wondering if you'd like to test out my theory?

I believe the issue may be that the plugin is dependent upon the grails-spring-security-core plugin while the app is dependent upon the grails-spring-security-ui plugin.

I believe both of the dependencies on grails-spring-security-core and grails-spring-security-ui should reside within the application, that would be myweb in your case.

All security related domain classes (SecRole, SecUser and SecUserSecRole), controllers, services, (etc) and config should also reside in the application, myweb.

The endpoints, including those in your plugin, may then be locked down by either annotating the controllers themselves or modifying application.groovy with the desired patterns and accesses. Make sure to include the role controller in the static rules if you wish to provide access to users.

Please let me know if these changes work for you.

from grails-spring-security-ui.

Thanks for replying! Does your theory involve the possibility that the web app and the plugin might end up depending on different versions of grails-spring-security-core through transient dependencies?

My example is oversimplified, separating domain classes from a simple UI app. Our actual use case is more complex, with multiple web apps relying on the same security infrastructure. I was hoping not to have to duplicate domain classes in each web app.

In fact, right now my work-around is to copy the domain classes SecUser, SecRole, and SecUserSecRole into the web app. So, I already know that putting those into the web app resolves the issue. I'll try what you ask with the dependencies as well and see what difference that makes.

from grails-spring-security-ui.

@dgoodman-idea, I have a solution for you.

The issue does, in fact, appear to be a configuration problem.

Access to URLs may be configured in one of three ways:

• @Secured annotations. This is the default approach
• A simple Map in application.groovy or application.yml
• RequestMap domain class instances stored in the database

Your example application is using the @Secured annotations approach by default. As a result, requests to access the role or user controllers are denied because those controllers are not annotated with @Secured in the grails-spring-security-ui source code.

The approach I recommend you take with your app is to use either the simple map or RequestMap approach.

To use the simple map approach to enable access to the user controller for all users, modify your application.yml as follows:

grails:
  plugin:
    springsecurity:
      securityConfigType: 'InterceptUrlMap'
      userLookup.userDomainClassName: 'com.example.SecUser'
      userLookup.authorityJoinClassName: 'com.example.SecUserSecRole'
      authority.className: 'com.example.SecRole'
      interceptUrlMap:
        - pattern: '/'
          access: ['permitAll']
        - pattern: '/console/**'
          access: ['permitAll']
        - pattern: '/static/console/**'
          access: ['permitAll']
        - pattern: '/index'
          access: ['permitAll']
        - pattern: '/index.gsp'
          access: ['permitAll']
        - pattern: '/error'
          access: ['permitAll']
        - pattern: '/user/denied'
          access: ['permitAll']
        - pattern: '/assets/**'
          access: ['permitAll']
        - pattern: '/**/js/**'
          access: ['permitAll']
        - pattern: '/**/css/**'
          access: ['permitAll']
        - pattern: '/**/images/**'
          access: ['permitAll']
        - pattern: '/user/**'
          access: ['permitAll']

Please note, I modified your config by:

1. setting the SecurityConfigType to be InterceptUrlMap instead of the default Annotation
2. added pattern and access values for the UserController

I verified this approach allows access to the UserController.

You will need to add additional patterns and accesses for your other controller endpoints and probably modify my example to lock down access to UserController :)

More information is available at
https://grails-plugins.github.io/grails-spring-security-core/3.2.x/index.html#requestMappings

Please let me know if this correctly addresses your issue! Thanks!

from grails-spring-security-ui.

@ddelponte I applied the changes you suggested and it still only works if I copy the domain classes into the myweb subproject. My original goal was to allow the domain classes to reside in a plugin subproject. I still get the failed assert:

->>  473 | createGroovyPageException    in /Users/dgoodman/git/s2ui-domain-class-issue/myweb/grails-app/views/user/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Caused by GrailsTagException: [views/user/create.gsp:35] Error executing tag <s2ui:form>: assert bean
       |
       null
->>   35 | throwRootCause               in views/user/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Caused by PowerAssertionError: assert bean
       |
       null
->>  276 | extractFormBean              in grails.plugin.springsecurity.ui.SecurityUiTagLib

Is there something about SecurityUiTagLib that wouldn't be able to access a bean in another subproject? Maybe a classloader issue?

from grails-spring-security-ui.