Glen Smith (Grails Related category)

Hacking Custom Authentication Providers with Grails Spring Security

2010-01-14T19:33:00Z

The Grails Spring Security plugin totally rocks. Even though Peter wrote a fantastic chapter on it for Grails in Action, I've always been a bit scared of it (based on some early bad experiences with the raw acegi codebase which *was* pretty insanely complex to get going).

Anyways, I've had cause to revisit Spring Security for a new client project, and had some tricky corner cases to solve. In particular, the app exposes a REST API that needs a special custom security provider. The client is issued an API key when they purchase the COTS product, and (basically) a hash of this key is remoted by a rich client during the authentication process so they can access backend services. However they can also access parts of the app using a normal browser interface with a user password and standard "remember me" features.

So the trick was supporting both a custom auth mechanism for certain URLs (eg /api/**) whilst maintaining usernames and passwords for the rest of the app. Turns out that it's all totally doable. First a disclaimer: I know next to nothing about Spring Security, so there is probably way better ways to accomplish this, so feel free to give feedback about how I could simplify all this so that future googlers can benefit. That aside, here's my crack.

Ok. To get all this custom stuff happening you'll need to implement a few things:

A custom Authentication object to hold the credentials you scrape from the client's http POST
A custom AuthenticationProvider which checks the credentials in that Authentication object match with the ones you've got stored against your backend database.
A custom SpringSecurityFilter which slips into the request pipeline all /api/** URLs and fires when it finds some credentials to use. It will need to extract out the credentials into an Authentication object, then pass it off to the AuthenticationManager which will inturn fire you custom provider.
Plenty of brain space to hold all that complexity...

Let's start with the easy stuff and define our custom Authentication object to hold our credentials. You really only need a custom one so that your AuthenticationProvider class can answer true to supportsClass(auth), and there's probably good adaptors I could have subclassed. Given I'm doing it all in Groovy, it's very concise to implement the entire interface anyways:


import org.springframework.security.*

class CustomAppTokenAuthentication implements Authentication {
	
	String name
	GrantedAuthority[] authorities
 	Object credentials
 	Object details
 	Object principal
 	boolean authenticated

}

Ok. We have our "holder" for the credentials that the user is going to present. I'm going to populate the credentials and principal details from the incoming http request. It's the role of the SpringSecurityFilter to do that scraping, then fire off the AuthenticationManager's pipeline of AuthenticationProviders. Here's rough crack at a custom Filter:


import org.springframework.security.ui.*
import org.springframework.security.context.*
import org.springframework.beans.factory.*
import org.springframework.context.*
import javax.servlet.*
import javax.servlet.http.*

class CustomAppTokenFilter extends SpringSecurityFilter implements InitializingBean{
	
	def authenticationManager
	def customProvider
	
	void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
		
		if (SecurityContextHolder.getContext().getAuthentication() == null) {

			def userId = request.getParameter("userId")
			def apiKey = request.getParameter("apiKey")
			if ( userId && apiKey ) {
				
				def myAuth = new CustomAppTokenAuthentication(
						name: userId,
						credentials: apiKey,
						principal: userId,
						authenticated: true
				)
				
				myAuth = authenticationManager.authenticate(myAuth);
				if (myAuth) {
					println "Successfully Authenticated ${userId} in object ${myAuth}"
	
					// Store to SecurityContextHolder
					SecurityContextHolder.getContext().setAuthentication(myAuth);
				 }    
			}
		}
		chain.doFilter(request, response)
	}
	
	int getOrder() {
		return FilterChainOrder.REMEMBER_ME_FILTER
	}
	
	void afterPropertiesSet() {
		def providers = authenticationManager.providers
		providers.add(customProvider)
		authenticationManager.providers = providers
	}
}

There's a little magic going on here in afterPropertiesSet() where I add my custom AuthenticationProvider (which is going to actually validate the token) to the existing pipeline of AuthenticationManager providers. I was hoping to do that via configuration, but couldn't find out how. Ideas?

With all that in place, the actual logic of firing the request is pretty straightforward. If there is a userId and apiKey coming in, and the user hasn't already been authenticated, you create your custom Authentication holder object for the credentials (contrary to what you might think, the authenticated: true attribute means "I should be inspected by an AutheticationProvider classes" NOT "the user has been authenticated with this credential"). Traps for young players.

The last piece of code we'll need is that AuthenticationProvider to actually validate the credential. That will need to look up the user's details in the security database. You can use the plugin's userDetailsService to do the heavy lifting of that one. Let's you look up the user in the database based on their user id, then gives you a handle to the underlying domain class to get any attributes you need. Here's my rough impl:


import org.springframework.security.*
import org.springframework.security.providers.*
import org.springframework.security.userdetails.*

class CustomAppTokenAuthenticationProvider implements AuthenticationProvider {
	
	def userDetailsService
	
	Authentication authenticate(Authentication customAuth) {
		def userDetails = userDetailsService.loadUserByUsername(customAuth.principal)
		if (userDetails?.domainClass?.apiKey == customAuth.credentials) {
			customAuth.authorities = userDetails.authorities
			return customAuth
		} else {
			return null
		}
	}
	
	boolean supports(Class authentication) {
		return CustomAppTokenAuthentication.class.isAssignableFrom(authentication)
	}
	
}

At this stage I'm just comparing that the cleartext API key's match. In the next round I'll use a Grails codec to do the actual .encodeAsCrazyHash algo that I'll need for the real crypto.

With all the code in place, we just need the config to wire it all together. Let's start with the spring bean definitions for /grails-app/conf/spring/resources.groovy:


import org.codehaus.groovy.grails.plugins.springsecurity.*
import au.com.bytecode.auth.*

beans = {

	if (AuthorizeTools.securityConfig.security.active) {
		
		customAppTokenFilter(CustomAppTokenFilter) {
			userDetailsService = ref("userDetailsService")
			authenticationManager = ref("authenticationManager")
			customProvider = ref("customAppTokenAppTokenAuthenticationProvider")
		}
	   
		customAppTokenAppTokenAuthenticationProvider(CustomAppTokenAuthenticationProvider) {
	   		userDetailsService = ref("userDetailsService")	
		}
		
	}
   
}

I use the plugin's AuthorizeTools class just to check that the plugin is turned on in SecurityConfig.groovy. It's useful to be able to turn off security for some testing via that active = false flag, so I wanted to honour that setting.

The last piece of config is making sure the filter fires only for the /api/** URL Mapping. The SecurityConfig.groovy setup allow you to specify a map of URL to pipeline. I'm not sure which filters I need in addition to my custom one, so I just specify them all :-) -- you need some of them to persist your custom credential to the http session, for instance. And some to handle the anonymous user who don't submit a token (so that your standard @Secured annotations work on the target controller). Here's the extract:


   filterInvocationDefinitionSourceMap = [
    '/api/**': 'httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,customAppTokenFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor',
    '/**': 'JOINED_FILTERS',
	]

The JOINED_FILTERS tag means "all the standard filters", but you can't seem to map "/api/**" to "customAppTokenFilter,JOINED_FILTERS" which could have been nice.

Phew! That was quite a journey! As I said, if you have better ways of simplifying this process, I'm all ears. At least here's a rough outline of how to hack together a custom authentication mechanism if your client needs one!

Log into your Grails app using your Twitter credentials

2009-12-08T02:16:00Z

I've got a new little hobby grails project that relies on a user's tweets to power its data collection, so I've been exploring using Twitter's oauth features to do away user accounts altogether. My little project is called "Twitter Until You're Fitter" and the idea is that I can tweet my weight "@tuyf 93kg" each week, and the app will pick up the value and graph it over time toward my goal weight (85kg). Given my current gym workload, that shouldn't be too far away :-)

For those of you who haven't played with oauth, it's one of those emerging "federated SSO" type protocols. You generate a signed request from your application and sent it off to twitter. Twitter asks the logged on user whether they wish to allow your application access their account. If they agree, twitter will send your application an oauth_verifier which you can use to logon as that user. Generating and processing all those tokens is easily handled by twitter4j

In order to get started, you first have to register your application with twitter, after which you'll be issued with a "consumer key" and a "consumer secret". You'll want to squirrel those away in your /grails-app/conf/Config.groovy to get access to them later:


twitter {
	oauth.consumer_key = 'd8sfsv9s0afs89v0sdesvs0'
	oauth.consumer_secret = 'lfsdDKSFjepfskvespfseruDFESilsfesfiseLFS=='
}

Next up we'll taked advantage of Grails 1.2's new dependency management gear, by adding twitter4j to our /grails-app/conf/BuildConfig.groovy


dependencies {
	build 'net.homeip.yusuke:twitter4j:2.0.10'
}

With our dependency in place, and our keys all set aside in config, it's time to generate a request to send the user off to twitter. I've setup a little TwitterService class to abstract some of the details:


class TwitterService {

    def generateRequestToken(twitter, callbackUrl) {	
		def consumerKey = ConfigurationHolder.config.twitter.oauth.consumer_key
		def consumerSecret = ConfigurationHolder.config.twitter.oauth.consumer_secret
		twitter.setOAuthConsumer(consumerKey, consumerSecret)
		def requestToken = twitter.getOAuthRequestToken(callbackUrl)
		return requestToken 
    }

}

I'm passing in the twitter4j object itself, since I'm planning on binding that object to the user's session, and using it to access their timeline. Now we just need a controller to generate the "redirect to login" feature of my application. Something like this should do it:


def requestLogin = {
	def twitterClient = new twitter4j.Twitter()	
	def returnUrl = g.createLink(controller: 'oauth', action: 'processLogin', absolute:true).toString()
	log.debug "Generating request with return url of [${returnUrl}]"
	def requestToken = twitterService.generateRequestToken(twitterClient, returnUrl)
	session.twitter = twitterClient
	session.requestToken = requestToken
	redirect(url:requestToken.getAuthorizationURL())
}

First we generate a link for our return url after authentication, then I call the TwitterService to generate my request token. The RequestToken class exposes a getAuthorizationURL() which returns the URL you need to send them off to. The user will be shown an authorisation screen like this:

Assuming they click "Allow", twitter will redirect back to your requested URL with a URL containing a oauth_verifier parameter. You can use that parameter to login to twitter as that user. Here's the action that processes the return URL from twitter:


def processLogin = {
	
	log.debug "Processing Login Return from Twitter"
	if (!session.requestToken) {
		redirect(action: 'requestLogin')
	} else {
		def accessToken = session.twitter.getOAuthAccessToken(session.requestToken, params.oauth_verifier)
		log.debug "Attempting validate..."
		def twitterUser = session.twitter.verifyCredentials()
		log.debug "Validate successful for ${twitterUser.screenName}"
		session.user = twitterUser
		redirect(action: 'displayDetails')
	}
}

That accessToken object turns out to be really important. If you squirrel away it's token and tokenSecret properties, you can login as the user any time you want with the redirect step (eg. a future session, cookie value, etc).

Phew! We've come a long way! We're now actually logged on as the user, now we just need a gsp to display some timeline details. Perhaps something like this:


<html>
	<head>
		<meta http-equiv="Content-type" content="text/html; charset=utf-8">
		<title>Welcome ${session.user.name}</title>	
	</head>
	<body>
		<h1>Successful Login for ${session.user.name}</h1>
		<p>Your user handle is <a href="${session.user.getURL()}">@${session.user.screenName}</a></p>
		<p>Your icon is: <img src="${session.user.profileImageURL}"></p>
		<p>Your timeline:</p>
		<ul>
			<g:each in="${session.twitter.homeTimeline}" var="status" status='i'>
				<li class="${ (i % 2) ? 'odd' : 'even'}">
					<img src="${status.user.profileImageURL}"/> 
					${status.user.screenName} : ${status.text} </li>
			</g:each>
		</ul>
	</body>
</html>

Which should give us an output like this:

And our application is fully linked up! If the user has a look in their Twitter settings, they'll now see that our app has read-only access to their account. They can revoke that at any time (so we'll need some error checking to handle that down the track).

Once I've got a bit more of the app running, I'll get some source onto a public repo. Till then, I need to get ready for my Spin class..

A Groovy day out as OSDC

2009-11-30T23:51:00Z

I spent last Thursday with a bunch of the Queensland Groovy and Grails folk, hanging out at the Open Source Developers Conference. The day started with a super Groovy/Grails in the Enterprise talk from Bob Brown. After that was a great chance to meet Paul King from "Groovy in Action" fame:

I sat down and interviewed Paul about Groovy, Agile, GPars and Chickens, which will appear as part of episode 101 of the Grails podcast. I went to Paul's talk on Groovy Testing which we gave with Craig Smith. There's already a copy on slideshare, so check it out.

I also had a great chance to hang out with Steve Dalton and Lee Butts from Refactor. These guys work on the Grails S3 plugin and the Portlets plugin. Lee is also a Grails committed. We had lots of good chats about putting together an .au Groovy/Grails conf next year. Stay tuned - it's gonna be a very Groovy time in the Sun.

Finally, I had a chance to sit down with Luke Daley. Luke is behind the Grails Fixtures plugin, the LDAP plugin and the Grails Textmate plugin. Luke had some really good insights on developments in the Grails testing space, and it was also cool to meet another Grails Guitar player and Maven fan.

Big thanks to Steve Dalton at Refactor for talking me into coming and sorting out getting me in the door. It was a fantastic time and I can't wait for a local GroovyConf next year! It's gonna rock!

Interviews will be up on the Grails Podcast site later in the week. Stay tuned!

Converting GoogleCode projects over to Mercurial

2009-11-16T10:16:00Z

Continuing my fascination with all things mercurial, I've converted over a few of my googlecode projects (including groovyblogs and gravl). Google code has supported mercurial for a while, but it was initially piloted on just a few projects. These days the floodgates are open :-)

Google provides you with a Step-by-step guide on converting your project from Subversion to Mercurial. In the best case scenario, just do a "hg convert http://projectname.googlecode.com/svn hg-version-of-my-projectname" and you're in business. I tried this and the changesets took so long to pull from the remove svn repo, that I gave up after letting it run for a few hours.

Fortunately, some kind soul linked to this Antwerkz page which gives you a script for syncing your entire google svn repo to your local drive (just using standard svnsync, which isn't something I've played with before, so this trick might be old news to you).

With my whole svn repo mirrored locally, I could run hgconvert file://data/gravl.svn gravl.hg and a few seconds later I was done! Follow that up with a hg push https://gravl.googlecode.com/hg/ and we're up and running (with branches and full history!):

Great stuff. Really interested to see how I copy with a wholesale move to Hg. So far things are going great!

Netbeans {hearts} Mercurial -- With Screenshots

2009-11-10T01:51:00Z

I've been learning Mercurial over the past two weeks and I'm really loving it. I've used git before, and had a bunch of issues with merges (my fault, not git's - but troublesome none the less). I thought I'd have a good look at Mercurial to see what it offered.

I've got to say the learning curve with Mercurial has been awesome. I bought a copy of the book, which has helped with the headshift of working with distributed revision control. A side benefit is that I now understand git better as well :-).

One of my real interests in exploring Mercurial is the standard of tooling. I've been happy with TortoiseHg on Windows, and am comfortable with the commandline on OSX, but I was keen to see how the IDEs fare. These days I'm using Netbeans for Grails development, and the Mercurial support is just fantastic (and built in the basic install!).

First up, let's have a look at the basic editor window.

Just like the normal Netbeans subversion support, the project explorer on the left marks modified files in blue, and new files in green. Any folder paths containing new/modified files have a small cylinder to let you know. All good visual cues. You can also see the Versions window active in the bottom right. This gives you a full list of your new/modified files for this project. You can right click to find out the deets.

The editor window itself contains markers for lines you've modified, which avoids a lot of the need to fire up a diff. When you're ready to commit, you get a standard dialog:

With our commits all in place, all the colour scheme on our files revert to default black. But what if you need to do a more serious look at a file's history? No problem, just the normal right click, / Mercurial / Show History, and you'll have all the info you need. This dialog gives you the local repo revision number against each change, so it's easy to get back to where you were later:

So what's missing in the Netbeans Hg support? There's a few things I haven't found yet. There doesn't seem to be any visual history for the project, (as per "hg glog" or "hg serve") - and there doesn't even seem to be any support for branching and cloning. But for day-to-day stuff, I'm happy to revert to the commandline for those for now.

So overall I've been super happy with Mercurial so far. I just yesterday saw Ted Nalied's great presentation on Mercurial - which is also a good resource for seeing what Hg has to offer.

Also look forward to checking out Mercurial Eclipse once I finally get Eclipse Spring/STS installed.

If people are interested, I'll put together a basic Mercurial/Grails screencast to get you started (ala Jeff Brown's awesome Grails/Git one).