Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

useHeaderCheckChannelSecurity doesn't work for AJAX calls #395

Closed
kuceram opened this issue Nov 30, 2015 · 2 comments
Closed

useHeaderCheckChannelSecurity doesn't work for AJAX calls #395

kuceram opened this issue Nov 30, 2015 · 2 comments

Comments

@kuceram
Copy link

kuceram commented Nov 30, 2015

When I run Spring Security behind the load balancer I set http header 'X-Forwarded-Proto' sent from load balancer to Grails set to 'http'. In Grails app I set following:

grails.plugin.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true
grails.plugin.springsecurity.portMapper.httpPort = 80
grails.plugin.springsecurity.portMapper.httpsPort = 443
grails.plugin.springsecurity.secureChannel.secureHeaderName = 'X-Forwarded-Proto'
grails.plugin.springsecurity.secureChannel.secureHeaderValue = 'http'
grails.plugin.springsecurity.secureChannel.insecureHeaderName = 'X-Forwarded-Proto'
grails.plugin.springsecurity.secureChannel.insecureHeaderValue = 'https'

This should set all redirect urls (login success url, etc.) to https even if grails runs on http. However for AJAX login it still uses http. I found someone had similar issue with grails 2:

http://stackoverflow.com/questions/27413217/how-to-get-springsecurity-grails-to-play-nicely-with-a-load-balancer-that-is-ter

The only workaround I found is to set full urls of AJAX callbacks:

grails.plugin.springsecurity.successHandler.ajaxSuccessUrl = "https://my-app.com/backend/login/ajaxSuccess"
grails.plugin.springsecurity.failureHandler.ajaxAuthFailUrl = "https://my-app.com/backend/login/ajaxAuthfail"
grails.plugin.springsecurity.logout.filterProcessesUrl = "https://my-app.com/backend/login/j_spring_security_logout"

Original idea from:
http://stackoverflow.com/a/26275028/607038

I assume this is an issue of Spring Security.

Tags: j_spring_security_logout, j_spring_security_check
burtbeckwith added a commit that referenced this issue Dec 6, 2015
@burtbeckwith
https://github.com/grails-plugins/grails-spring-security-core/issues/395
009f0af
burtbeckwith added a commit that referenced this issue Dec 7, 2015
@burtbeckwith
Added SecurityRequestHolderFilter which is registered as the first fi…
8f1add8 
…lter.

It and stores the request and response in the SecurityRequestHolder, which had been done by RequestHolderAuthenticationFilter but later in the chain. RequestHolderAuthenticationFilter also was the entry point for authentication, and was renamed to GrailsUsernamePasswordAuthenticationFilter.

SecurityRequestHolderFilter also wraps the request in a HttpServletRequestWrapper wrapper that is aware of the X-Forwarded-Proto header and returns the correct value from isSecure(), getScheme(), and getServerPort() if the header is present.

This is part of the fix for issue #395
burtbeckwith added a commit that referenced this issue Dec 7, 2015
@burtbeckwith
Issue #395
94ca412 
Added GrailsRedirectStrategy to replaced DefaultRedirectStrategy to build absolute urls when using header check channel security to prevent the container from generating urls with an incorrect scheme.

Also copied the commence method from LoginUrlAuthenticationEntryPoint into AjaxAwareAuthenticationEntryPoint to use GrailsRedirectStrategy since its RedirectStrategy is a private and final DefaultRedirectStrategy with no way to change it, and updated LogoutController to use GrailsRedirectStrategy instead of calling a regular Grails redirect.
burtbeckwith added a commit that referenced this issue Dec 7, 2015
@burtbeckwith
Added SecurityRequestHolderFilter which is registered as the first fi…
d4098c9 
…lter.

It and stores the request and response in the SecurityRequestHolder, which had been done by RequestHolderAuthenticationFilter but later in the chain. RequestHolderAuthenticationFilter also was the entry point for authentication, and was renamed to GrailsUsernamePasswordAuthenticationFilter.

SecurityRequestHolderFilter also wraps the request in a HttpServletRequestWrapper wrapper that is aware of the X-Forwarded-Proto header and returns the correct value from isSecure(), getScheme(), and getServerPort() if the header is present.

This is part of the fix for issue #395
burtbeckwith added a commit that referenced this issue Dec 7, 2015
@burtbeckwith
Issue #395
6d74362 
Added GrailsRedirectStrategy to replaced DefaultRedirectStrategy to build absolute urls when using header check channel security to prevent the container from generating urls with an incorrect scheme.

Also copied the commence method from LoginUrlAuthenticationEntryPoint into AjaxAwareAuthenticationEntryPoint to use GrailsRedirectStrategy since its RedirectStrategy is a private and final DefaultRedirectStrategy with no way to change it, and updated LogoutController to use GrailsRedirectStrategy instead of calling a regular Grails redirect.
@burtbeckwith
Copy link
Contributor

Fixed, will be in the next release of 2.0 and 3.0

@kuceram
Copy link
Author

kuceram commented Jan 5, 2016

Works fine!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@burtbeckwith @kuceram