The document discusses customizing the Grails Spring Security 2.0 plugin. It describes how to override plugin beans by redefining them in the application context. It provides examples of customizing the user details service, authentication provider, and post-logout behavior. The document is a technical guide for developers looking to extend the default functionality of the Grails Spring Security plugin.
In this webinar, we focus specifically on how Apache SHIRO can help developers in providing better security architecture. You will also learn the following Application security is gaining critical attention due to increase in cyber-attacks and risks of business and financial losses.
In the context of J2EE development and Java web application development, security concerns are addressed through multiple means. This informative 45 min session to understand approaches and strategies for building secure web applications.
- Planning for Security: Authentication, Authorization, Session Management and Cryptography
- Comparing Different Approaches for Security: JAAS, Spring, Grails
- How to use the simplified universal approach of Apache SHIRO
- A LIVE DEMO on using SHIRO to secure web applications
If you have any query please write to us at inquiry@cygnet-infotech.com
Octopus framework; Permission based security framework for Java EERudy De Busscher
Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.
In this webinar, we focus specifically on how Apache SHIRO can help developers in providing better security architecture. You will also learn the following Application security is gaining critical attention due to increase in cyber-attacks and risks of business and financial losses.
In the context of J2EE development and Java web application development, security concerns are addressed through multiple means. This informative 45 min session to understand approaches and strategies for building secure web applications.
- Planning for Security: Authentication, Authorization, Session Management and Cryptography
- Comparing Different Approaches for Security: JAAS, Spring, Grails
- How to use the simplified universal approach of Apache SHIRO
- A LIVE DEMO on using SHIRO to secure web applications
If you have any query please write to us at inquiry@cygnet-infotech.com
Octopus framework; Permission based security framework for Java EERudy De Busscher
Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.
Enterprise Security mit Spring SecurityMike Wiesner
Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) and how to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions. As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won't want to miss this!
Getting Started with Spring Authorization ServerVMware Tanzu
SpringOne 2021
Title: Getting Started with Spring Authorization Server
Speakers: Joe Grandja, Spring Security Engineer at VMware; Steve Riesenberg, Software Engineer at VMware
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
Have you ever wondered how single-sign-on on sites like Google and Facebook works? Are you a fan of stateless application architectures? Do you want to learn how to put together a modern security approach for your next Spring Boot project? If the answer is yes, to anything above, then this session is for you. Dmitry will explain what is OAuth 2.0 and JWT, why are they popular, and how to integrate them in Java project.
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love.
YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application
Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
Speaking of modern authentication for the Web, we usually assume features like single sign-on, social login, strong multifactor auth, protection from brute-force attacks and automated registrations & many more.
Unfortunately, Sling offers only very basic authentication and identity management out of the box. Our proposal is not to reinvent all of the above within Sling, but rather to delegate authentication and IDM to mature, open-source and standards-compliant external service.
In this session, we'll discuss and demonstrate implementation of this approach with Keycloak, open-source identity solution.
https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/ - Code and presentation.
https://netdava.github.io/adapt-to-2018-keycloak-sling-presentation/
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
In this presentation, we show how Intrigue Core helps scale the assessment automation process and how you can integrate into Elasticsearch to do deep attack surface analysis on organizations.
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Enterprise Security mit Spring SecurityMike Wiesner
Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) and how to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions. As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won't want to miss this!
Getting Started with Spring Authorization ServerVMware Tanzu
SpringOne 2021
Title: Getting Started with Spring Authorization Server
Speakers: Joe Grandja, Spring Security Engineer at VMware; Steve Riesenberg, Software Engineer at VMware
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
Have you ever wondered how single-sign-on on sites like Google and Facebook works? Are you a fan of stateless application architectures? Do you want to learn how to put together a modern security approach for your next Spring Boot project? If the answer is yes, to anything above, then this session is for you. Dmitry will explain what is OAuth 2.0 and JWT, why are they popular, and how to integrate them in Java project.
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love.
YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application
Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
Speaking of modern authentication for the Web, we usually assume features like single sign-on, social login, strong multifactor auth, protection from brute-force attacks and automated registrations & many more.
Unfortunately, Sling offers only very basic authentication and identity management out of the box. Our proposal is not to reinvent all of the above within Sling, but rather to delegate authentication and IDM to mature, open-source and standards-compliant external service.
In this session, we'll discuss and demonstrate implementation of this approach with Keycloak, open-source identity solution.
https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/ - Code and presentation.
https://netdava.github.io/adapt-to-2018-keycloak-sling-presentation/
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
In this presentation, we show how Intrigue Core helps scale the assessment automation process and how you can integrate into Elasticsearch to do deep attack surface analysis on organizations.
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Geb+spock: let your functional tests live long and prosperEsther Lozano
Functional testing, as any other testing, is important to ensure the health of our apps. However, functional tests are often tricky, too susceptible to change, and their maintenance ends up being a nightmare. Are we hopeless then? Not at all! Luckily, there are tools to ease this task like Geb and Spock, which help us to create well structured, comprehensive, and easy to maintain tests. In this talk we will review these tools, showing different options for creating the tests.
In this session, attendees will learn how to secure JSR-168 Portlets using the latest version of Acegi Security, called Spring Security 2.0. The 2.0 release of Spring Security includes new support for JSR-168 Portlet development. In this session we'll cover how the Acegi security model translates into the Portlet world, show how to configure the authentication provider for JSR-168 Portlets, and discuss the special interceptors for processing Portlet requests and for storing the security context in the Portlet session. Finally we'll show how Portlets and Servlets in the same webapp can share security context, which allows for secure AJAX calls and dynamic images from within Portlets.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Apache Roller, Acegi Security and Single Sign-onMatt Raible
Acegi Security is quickly becoming a widely respected security framework for Java applications. Not only does this security framework solve many of the deficiencies of J2EE's security mechanisms, but it's also easy to implement and configure. This tutorial will help you learn more about Acegi Security, as well as how to integrate it into your web applications. The Roller Weblogger project (currently in Apache's incubator) uses Acegi Security for many of its features: authentication, password encryption, remember me and SSL switching. After learning about Roller and Acegi, you will see how to deploy Roller onto Tomcat and Geronimo. Following that, you will learn how to hook Roller/Acegi into Apache Directory Server for authentication. Finally, you will learn how to integrate Roller with a Single Sign-on System (Yale's Central Authentication Service).
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Whether you build software for enterprises, mobile, or internal microservices, security is important. Standards like SAML, OIDC, and SPIFFE help you solve identity and authentication, but for them authorization is out of scope. When you need to control "who can do what" in your app, you are on your own.
To solve authorization, you may be tempted to hardcode logic against SAML assertions, scopes, or X.509 certificate attributes. But, approaches like this lead to systems that are hard to understand and painful to maintain.
This talk shows how to leverage the Open Policy Agent (which is used by companies like Netflix and Chef) to build a powerful authorization system on top of industry-standard authentication protocols. The talk showcases how decoupling leads to authorization solutions that are easier to understand while enabling fine-grained control over the app.
Spring Security is a security solution for enterprise applications developed
using the Spring Framework.
Out of the box Spring Security provide support for OpenID, ACL, Groups, JSR 250 Security Annotation and can be easily integrated with OAuth and RESTful systems.
In this presentation we will see how to use Spring Security to switch a RESTful webapp from a classical authentication/authorization to OpenID authentication, OAuth authorization and how to use the Spring Security ACL for your Domain Objects.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
6. web.xml
● Spring Security is implemented as a filter chain, so the
<filter-mapping> elements are the important ones:
● charEncodingFilter
● hiddenHttpMethod
● AssetPipelineFilter
● grailsWebRequest
● springSecurityFilterChain
● urlMapping
● grailsCacheFilter
7. web.xml
● Spring Security is implemented as a filter chain, so the
<filter-mapping> elements are the important ones:
● charEncodingFilter
● hiddenHttpMethod
● AssetPipelineFilter
● grailsWebRequest
● springSecurityFilterChain
● urlMapping
● grailsCacheFilter
8. web.xml - charEncodingFilter
Prevents this
●
org.springframework.web.filter.DelegatingFilterProxy
● Uses the "characterEncodingFilter" bean
(org.springframework.web.filter.CharacterEncodingFilter)
defined in WEB-INF/applicationContext.xml (the
“parent” context)
● request.setCharacterEncoding("utf-8");
● response.setCharacterEncoding("utf-8");
9. web.xml - hiddenHttpMethod
String httpMethod = getHttpMethodOverride(request);
filterChain.doFilter(
new HttpMethodRequestWrapper(httpMethod, request),
response);
●
org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter
● <g:form controller="book" method="DELETE">
● See the section on REST in the Grails reference docs
10. web.xml - AssetPipelineFilter
● asset.pipeline.grails.AssetPipelineFilter
● Manages minification, etc. for the asset-pipeline plugin(s)
22. springSecurityFilterChain - filterInvocationInterceptor
● Delegates to an AccessDecisionManager
(grails.plugin.springsecurity.access.vote.
AuthenticatedVetoableDecisionManager) to call
each registered
o.s.s.access.AccessDecisionVoter
25. springSecurityFilterChain - filterInvocationInterceptor
● grails.plugin.springsecurity.web.access.expression.
WebExpressionVoter looks for a
WebExpressionConfigAttribute and evaluates its
expression if found
● grails.plugin.springsecurity.access.vote.
ClosureVoter looks for a Closure and invokes it to
determine how to vote
26. springSecurityFilterChain - filterInvocationInterceptor
● This is caught by the exceptionTranslationFilter
● If the Authentication is anonymous, stores a
SavedRequest in the HTTP session and calls
authenticationEntryPoint.commence(request,
response, reason)
● The authenticationEntryPoint is a
grails.plugin.springsecurity.web.authentication.
AjaxAwareAuthenticationEntryPoint
● This issues a redirect to the login page, by default
/login/auth
if (denyCount > 0) {
throw new AccessDeniedException("Access is denied");
}
28. Customizing the Plugin
● Simple; not always clear how to customize; many
options aren't exposed
● In contrast, the plugin explicitly defines every bean and
exposes nearly all properties
● See SpringSecurityCoreGrailsPlugin.groovy
for the details
31. Overriding Beans
● Building the Spring ApplicationContext
Core pluginsCore plugins Installed pluginsInstalled plugins resources.groovyresources.groovy
32. Overriding Beans
● Gross oversimplifications:
● The ApplicationContext is like a Map; the keys are
bean names and the values are bean instances
● Defining a bean with the same name as an earlier bean
replaces the previous, just like Map.put(key,
value) does
33. Overriding Beans
● Gross oversimplifications:
● The ApplicationContext is like a Map; the keys are
bean names and the values are bean instances
● Defining a bean with the same name as an earlier bean
replaces the previous, just like Map.put(key,
value) does
34. Overriding Beans
● To change how a bean works:
● Subclass the current class
● Or subclass a similar class that's closer to what you need
●
Or implement the interface directly
● Then register yours in grails-app/
conf/spring/resources.groovy
37. Customizing Bean Properties
● In addition to declaring every bean, nearly all properties
are configured from default values in the plugin's
grails-
app/conf/DefaultSecurityConfig.groovy
● DO NOT EDIT DefaultSecurityConfig.groovy
38. Customizing Bean Properties
● All properties can be overridden in your app's
Config.groovy
● Be sure to add the grails.plugin.springsecurity
prefix
●
Don't replace a bean if all you need to change is one or
more properties
41. Customizing Bean Properties
class BootStrap {
def authenticationProcessingFilter
def myAuthenticationFailureHandler
def init = {
authenticationProcessingFilter.authenticationFailureHandler =
myAuthenticationFailureHandler
}
}
● Can also configure beans in BootStrap.groovy, e.g. to
avoid redefining a whole bean in resources.groovy just
to change one dependency:
44. Custom UserDetailsService
● General workflow:
● Create a custom
o.s.s.core.userdetails.UserDetailsService
(grails.plugin.springsecurity.userdetails.
GrailsUserDetailsService) implementation
● Directly implement the interface (best)
● or extend grails.plugin.springsecurity.userdetails.
GormUserDetailsService (ok, but usually cleaner to implement
the interface)
45. Custom UserDetailsService
● General workflow (cont.):
● Create a custom implementation of
o.s.s.core.userdetails.UserDetails
● Extend
grails.plugin.springsecurity.userdetails.GrailsUser
● or extend o.s.s.core.userdetails.User
● or directly implement the interface
46. Custom UserDetailsService
● General workflow (cont.):
● Register the bean override in grails-
app/conf/spring/resources.groovy:
import com.mycompany.myapp.MyUserDetailsService
beans = {
userDetailsService(MyUserDetailsService)
}
48. Custom AuthenticationProvider
● General workflow:
● Create a custom
o.s.s.authentication.AuthenticationProvider
implementation
● Extend one that's similar, e.g.
o.s.s.authentication.dao.DaoAuthenticationProvider
● or directly implement the interface
49. Custom AuthenticationProvider
● General workflow (cont.):
● You'll probably want a custom
org.springframework.security.core.Authentication
● Extend an existing implementation, e.g.
o.s.s.authentication.UsernamePasswordAuthenticationToken
● or directly implement the interface
50. Custom AuthenticationProvider
● General workflow (cont.):
● If you're using a custom Authentication, you'll need a filter to
create it
● Create a custom javax.servlet.Filter implementation
● Best to extend org.springframework.web.filter.GenericFilterBean
● or one that's similar, e.g.
o.s.s.web.authentication.UsernamePasswordAuthenticationFilter
● Or directly implement the interface
51. Custom AuthenticationProvider
● Registering the custom classes
● If you're replacing functionality, register bean overrides in
resources.groovy
● If you're adding an alternate authentication option (e.g. for only some
URLs)
● Register the beans in resources.groovy
● Register the provider as described in docs section “Authentication Providers”
●
Register the filter in its position as described in docs section “Filters”
53. Custom Post-logout Behavior
● Recall that logout is processed by MutableLogoutFilter
after request for /j_spring_security_logout
● handler.logout(request, response, auth) is
called for each LogoutHandler
● then redirect to post-logout url (by default “/”)
54. Custom Post-logout Behavior
● The default LogoutHandler implementations are
●
o.s.s.web.authentication.rememberme.TokenBasedRememberMeServices
● Deletes the remember-me cookie
●
o.s.s.web.authentication.logout.SecurityContextLogoutHandler
● Invalidates the HttpSession
● Removes the SecurityContext from the
SecurityContextHolder
55. Custom Post-logout Behavior
● Redirect is triggered by
● logoutSuccessHandler.onLogoutSuccess(request,
response, auth)
● LogoutSuccessHandler is an instance of
o.s.s.web.authentication.logout.SimpleUrlLogoutSuccessHandler
56. Custom Post-logout Behavior
● To add logic to dynamically determine redirect url:
● Subclass SimpleUrlLogoutSuccessHandler
● Since the Authentication isn't available in
determineTargetUrl, override onLogoutSuccess and set it
in a ThreadLocal
61. Customization Overview
● Subclass or replace filters in the chain:
● SecurityContextPersistenceFilter
● MutableLogoutFilter
● RequestHolderAuthenticationFilter
(UsernamePasswordAuthenticationFilter)
● SecurityContextHolderAwareRequestFilter
● RememberMeAuthenticationFilter
● AnonymousAuthenticationFilter
● ExceptionTranslationFilter
● FilterSecurityInterceptor
62. Customization Overview
● Remove filter(s) from the chain
● Not recommended
● Add filter(s) to the chain
● Add/remove/replace LogoutHandler(s)
● Add/remove/replace AccessDecisionVoter(s)
● Add/remove/replace AuthenticationProvider(s)
63. Customization Overview
● Customize a filter or AuthenticationProvider's dependency
● e.g. custom UserDetailsService
● Don't write code if you can customize properties or
BootStrap.groovy
● Read the Spring Security documentation
● Print the PDF and read it on your commute
● Ask for help on the Grails User mailing list