In a Grails multi-project, there are errors when the User/Role domain classes are in a separate plugin subproject

[dgoodman-idea]

Our team has a new Grails 3.3.9 multi-project. This issue manifests almost exactly like #56 but the work-around suggested there did not work. Ultimately, copying the Domain classes from myplugin into the myweb subproject fixed the issue. However, we want our Domain classes, including those for Spring Security (SecUser and SecRole) to reside in the shared plugin.

Task List

• Steps to reproduce provided
• Stacktrace (if present) provided
• Example that reproduces the problem uploaded to Github
• Full description of the issue provided (see below)

Steps to Reproduce

NOTE: If you clone the repo below, you can start with step 4

1. Setup a Grails multi-project as detailed in this article: http://www.databaseapplications.com.au/grails-multi-app.jsp
2. Add s2ui to the myweb subproject
   compile 'org.grails.plugins:spring-security-ui:3.1.2'
3. Generate Controllers and crud gsps with s2ui-override command line:
   1. grails s2ui-override auth
   2. grails s2ui-override layout
   3. grails s2ui-override role com.example (replace existing controller from earlier generate-all)
   4. grails s2ui-override user com.example (replace existing controller from earlier generate-all)
4. cd myweb; grails run-app
5. Login to the app with user admin and password strongPassword.
6. Navigate to /role/create or /user/create

Expected Behaviour

Create Role and Create User pages should load without error

Actual Behaviour

Error 500: Internal Server Error
URI
/role/create
Class
org.codehaus.groovy.runtime.powerassert.PowerAssertionError
Message
Request processing failed; nested exception is org.grails.gsp.GroovyPagesException: Error processing GroovyPageView: [views/role/create.gsp:21] Error executing tag <s2ui:formContainer>: assert bean | null
Caused by
assert bean | null

Full trace from grails:

    Line | Method
->>  473 | createGroovyPageException    in /Users/dgoodman/git/atomic-mole/web-admin/grails-app/views/role/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Caused by GrailsTagException: [views/role/create.gsp:21] Error executing tag <s2ui:formContainer>: assert bean
       |
       null
->>   21 | throwRootCause               in views/role/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Caused by PowerAssertionError: assert bean
       |
       null
->>  312 | doCall                       in grails.plugin.springsecurity.ui.SecurityUiTagLib$_closure10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
|    446 | invokeTagLibClosure          in org.grails.gsp.GroovyPage
|    364 | invokeTag . . . . . . . . .  in     ''
|     39 | doCall                       in Users_dgoodman_git_atomic_mole_web_admin_grails_app_views_role_create_gsp$_run_closure2
|    200 | executeClosure . . . . . . . in org.grails.taglib.TagBodyClosure
|    102 | captureClosureOutput         in     ''
|    213 | call . . . . . . . . . . . . in     ''
|     48 | captureTagContent            in org.grails.plugins.web.taglib.SitemeshTagLib
|    156 | doCall . . . . . . . . . . . in org.grails.plugins.web.taglib.SitemeshTagLib$_closure3
|    446 | invokeTagLibClosure          in org.grails.gsp.GroovyPage
|    364 | invokeTag . . . . . . . . .  in     ''
|     42 | run                          in Users_dgoodman_git_atomic_mole_web_admin_grails_app_views_role_create_gsp
|    162 | doWriteTo . . . . . . . . .  in org.grails.gsp.GroovyPageWritable
|     82 | writeTo                      in     ''
|     76 | renderTemplate . . . . . . . in org.grails.web.servlet.view.GroovyPageView
|     71 | renderWithinGrailsWebRequest in org.grails.web.servlet.view.AbstractGrailsView
|     55 | renderMergedOutputModel . .  in     ''
|    304 | render                       in org.springframework.web.servlet.view.AbstractView
|    150 | renderInnerView . . . . . .  in org.grails.web.sitemesh.GrailsLayoutView
|    128 | obtainContent                in     ''
|     63 | renderTemplate . . . . . . . in     ''
|     71 | renderWithinGrailsWebRequest in org.grails.web.servlet.view.AbstractGrailsView
|     55 | renderMergedOutputModel . .  in     ''
|    304 | render                       in org.springframework.web.servlet.view.AbstractView
|   1286 | render . . . . . . . . . . . in org.springframework.web.servlet.DispatcherServlet
|   1041 | processDispatchResult        in     ''
|    984 | doDispatch . . . . . . . . . in     ''
|    901 | doService                    in     ''
|    970 | processRequest . . . . . . . in org.springframework.web.servlet.FrameworkServlet
|    861 | doGet                        in     ''
|    846 | service . . . . . . . . . .  in     ''
|     55 | doFilterInternal             in org.springframework.boot.web.filter.ApplicationContextHeaderFilter
|    317 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    127 | invoke                       in org.springframework.security.web.access.intercept.FilterSecurityInterceptor
|     91 | doFilter . . . . . . . . . . in     ''
|    331 | doFilter                     in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    114 | doFilter . . . . . . . . . . in org.springframework.security.web.access.ExceptionTranslationFilter
|     64 | doFilter                     in grails.plugin.springsecurity.web.UpdateRequestContextHolderExceptionTranslationFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|     54 | doFilter                     in grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    158 | doFilter                     in org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    170 | doFilter                     in org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    200 | doFilter                     in org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|     64 | doFilter                     in grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    105 | doFilter                     in org.springframework.security.web.context.SecurityContextPersistenceFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|     58 | doFilter                     in grails.plugin.springsecurity.web.SecurityRequestHolderFilter
|    331 | doFilter . . . . . . . . . . in org.springframework.security.web.FilterChainProxy$VirtualFilterChain
|    214 | doFilterInternal             in org.springframework.security.web.FilterChainProxy
|    177 | doFilter . . . . . . . . . . in     ''
|     77 | doFilterInternal             in org.grails.web.servlet.mvc.GrailsWebRequestFilter
|     67 | doFilterInternal . . . . . . in org.grails.web.filters.HiddenHttpMethodFilter
|   1142 | runWorker                    in java.util.concurrent.ThreadPoolExecutor
|    617 | run . . . . . . . . . . . .  in java.util.concurrent.ThreadPoolExecutor$Worker
^    745 | run                          in java.lang.Thread

Environment Information

• Operating System: Mac OS 10.11.3
• GORM Version: 6.1.11.RELEASE
• Grails Version (if using Grails): 3.3.9
• Groovy Version: 2.4.15
• JDK Version: 1.8.0_11

Example Application

• https://github.com/dgoodman-idea/s2ui-domain-class-issue

[ddelponte]

I have an idea of what the cause would be and was wondering if you'd like to test out my theory?

I believe the issue may be that the plugin is dependent upon the grails-spring-security-core plugin while the app is dependent upon the grails-spring-security-ui plugin.

I believe both of the dependencies on grails-spring-security-core and grails-spring-security-ui should reside within the application, that would be myweb in your case.

All security related domain classes (SecRole, SecUser and SecUserSecRole), controllers, services, (etc) and config should also reside in the application, myweb.

The endpoints, including those in your plugin, may then be locked down by either annotating the controllers themselves or modifying application.groovy with the desired patterns and accesses. Make sure to include the role controller in the static rules if you wish to provide access to users.

Please let me know if these changes work for you.

[dgoodman-idea]

Thanks for replying! Does your theory involve the possibility that the web app and the plugin might end up depending on different versions of grails-spring-security-core through transient dependencies?

My example is oversimplified, separating domain classes from a simple UI app. Our actual use case is more complex, with multiple web apps relying on the same security infrastructure. I was hoping not to have to duplicate domain classes in each web app.

In fact, right now my work-around is to copy the domain classes SecUser, SecRole, and SecUserSecRole into the web app. So, I already know that putting those into the web app resolves the issue. I'll try what you ask with the dependencies as well and see what difference that makes.

[ddelponte]

@dgoodman-idea, I have a solution for you.

The issue does, in fact, appear to be a configuration problem.

Access to URLs may be configured in one of three ways:

• @Secured annotations. This is the default approach
• A simple Map in application.groovy or application.yml
• RequestMap domain class instances stored in the database

Your example application is using the @Secured annotations approach by default. As a result, requests to access the role or user controllers are denied because those controllers are not annotated with @Secured in the grails-spring-security-ui source code.

The approach I recommend you take with your app is to use either the simple map or RequestMap approach.

To use the simple map approach to enable access to the user controller for all users, modify your application.yml as follows:

grails:
  plugin:
    springsecurity:
      securityConfigType: 'InterceptUrlMap'
      userLookup.userDomainClassName: 'com.example.SecUser'
      userLookup.authorityJoinClassName: 'com.example.SecUserSecRole'
      authority.className: 'com.example.SecRole'
      interceptUrlMap:
        - pattern: '/'
          access: ['permitAll']
        - pattern: '/console/**'
          access: ['permitAll']
        - pattern: '/static/console/**'
          access: ['permitAll']
        - pattern: '/index'
          access: ['permitAll']
        - pattern: '/index.gsp'
          access: ['permitAll']
        - pattern: '/error'
          access: ['permitAll']
        - pattern: '/user/denied'
          access: ['permitAll']
        - pattern: '/assets/**'
          access: ['permitAll']
        - pattern: '/**/js/**'
          access: ['permitAll']
        - pattern: '/**/css/**'
          access: ['permitAll']
        - pattern: '/**/images/**'
          access: ['permitAll']
        - pattern: '/user/**'
          access: ['permitAll']

Please note, I modified your config by:

1. setting the SecurityConfigType to be InterceptUrlMap instead of the default Annotation
2. added pattern and access values for the UserController

I verified this approach allows access to the UserController.

You will need to add additional patterns and accesses for your other controller endpoints and probably modify my example to lock down access to UserController :)

More information is available at
https://grails-plugins.github.io/grails-spring-security-core/3.2.x/index.html#requestMappings

Please let me know if this correctly addresses your issue! Thanks!

[dgoodman-idea]

@ddelponte I applied the changes you suggested and it still only works if I copy the domain classes into the myweb subproject. My original goal was to allow the domain classes to reside in a plugin subproject. I still get the failed assert:

->>  473 | createGroovyPageException    in /Users/dgoodman/git/s2ui-domain-class-issue/myweb/grails-app/views/user/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Caused by GrailsTagException: [views/user/create.gsp:35] Error executing tag <s2ui:form>: assert bean
       |
       null
->>   35 | throwRootCause               in views/user/create.gsp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Caused by PowerAssertionError: assert bean
       |
       null
->>  276 | extractFormBean              in grails.plugin.springsecurity.ui.SecurityUiTagLib

Is there something about SecurityUiTagLib that wouldn't be able to access a bean in another subproject? Maybe a classloader issue?