Spring Security is a lightweight security framework that provides authentication and authorization support in order to secure Spring-based applications. It comes bundled with popular security algorithm implementations. I would cover a series of different topic related to spring security in my upcoming blogs. We will go through the...
Some applications require to store and show last login of the user which is quite common. With this feature a user can verify the last login date and time upon successful login. I would like to explain this through a use case - One of the administrative application on Grails required to hold last login date and time of the user, so...
Spring Security has a nice feature of request caching. When user try to access secured resource without logging in into the system, spring security caches that request and redirect the user to the login page. After successful authentication it redirects user to that cached request. This works for both Ajax and non-ajax requests. To...
In a recent project we were required to move our static content files to some CDN because servers were getting millions of hits every hour and many of the resources on the main page were static (like JS/CSS/etc). I hope most of the people understand CDN already. So, I’m not covering any information on CDN fundamentals or how to set it...
Sometimes we need to access details of current logged in user but that will be an additional database query. To save that query we can use principal object of Spring security which provides details of logged in user . But by default principal object have few fields like id, username and password. If we need to access user's name /...
What if our use case is to perform any custom task for login and logout while keeping the beauty of spring security intact. My use case was to make a third party SOAP API call to perform login/logout sending user's detail as parameter. Override Login Write own Authentication Provider class that extends...
Restricting concurrent sessions for a single user is a very common requirement for any software tool which requires licensing based on number of users. You can read about how we can manage (or allow) concurrent sessions with Grails 2 using Spring security plugin in this awesome concise blog here. let us see how we can allow or...
In my recent project, I want to implement permission based framework with spring security grails plugin. What does permission based framework mean? We can create a ROLE at run time based on the permission given to the user. Most of the times, we use Spring security in a way where we pre-define the roles to be used in our apps. But...
We were trying to implement SSL-based login and registration (i.e. HTTPS) in an e-commerce web application which was otherwise using the non-secure protocol (i.e. HTTP) for the entire website. Instead of moving the entire web application to SSL, which would have increased response times, we thought it would be best if only the...
Spring security loads the roles of user from user role table based on all roles assigned to user and that role is application specific. But In my project i require to assign roles to user based on instance . So when the instance is changed roles should be changed .In grails we can overide the methods of plugin. So when instance change...
In most of our applications we are using spring security core plugin for the authentication process. We define some roles in that . Have your ever thought about assigning precedence to the roles. Like, You are having 3 roles defined in your application. i.e. ROLE_SUPER_ADMIN, ROLE_ADMIN ,ROLE_ATTENDEE. While using these roles i.e ...
Many of Grails plugin like searchable and console can prove to be really dangerous if access to their URLs is not blocked. After adding searchable plugin to my project, I realized that access to its controllers was not defined and was open for all. Now this was a major security concern. There are many ways of restricting access like...