login automatically with Grails Spring Security

Question

My Grails app is using the Spring Security plugin. I need to login a user programatically, and I don't have access to their password. I tried the following, which supposedly worked when using the Acegi plugin (an ancestor of the Spring Security plugin):

// automatically login a user and assign them the USER role. 
// In my app, the email address is also the username
GrantedAuthority[] auths = [new GrantedAuthorityImpl('USER')]
SecurityContextHolder.context.authentication 
        = new UsernamePasswordAuthenticationToken(email, 'unknown', auths)

It seems like this has almost worked, because if I call springSecurityService.principal after executing the above, I get back the email address of the automatically logged in user. However, if I call springSecurityService.currentUser I get an error. The root cause of this error is that:

SpringSecurityUtils.securityConfig.userLookup.userDomainClassName

returns "Person" which is not the name of my user class. The various tags such as <sec:loggedInUser> also don't work, presumably for the same reason.

I wonder if this problem is somehow related to the fact that I'm using pre-existing domain classes for user and role (rather than classes generated by the plugin)? If the user logs in by entering their username and password into the form (rather than programatically), everything seems to work fine.

Update

Following Burt's advice, I replaced the code above with:

springSecurityService.reauthenticate(email)

But I still get an error on these lines within SpringSecurityService.getCurrentUser()

String className = SpringSecurityUtils.securityConfig.userLookup.userDomainClassName
grailsApplication.getClassForName(className).get(principal.id)

Because className is set to "Person", rather than the name of my User class.

stupid question from my site: have you configured the plugin to use your custom user class? e.g. by adding grails.plugins.springsecurity.userLookup.userDomainClassName = 'package.your.User' grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'package.your.UserRole' grails.plugins.springsecurity.authority.className = 'package.your.Role' to your Config.groovy — Chris, Aug 18 '11 at 22:20
No, I was told (by the plugin author) that this is not necessary in my case http://stackoverflow.com/questions/6899566/use-existing-domain-classes-with-spring-security-plugin Might be worth a try nonetheless — Dónal, Aug 18 '11 at 22:29
The `grails.plugins.springsecurity.userLookup.userDomainClassName` config attribute is used by the plugin's `UserDetailsService` but when you have a custom implementation you don't need to set it, you just use the real domain class name. `reauthenticate()` calls `userDetailsService.loadUserByUsername(username)` so it should work the same way as when you're authenticating via the login page. — Burt Beckwith, Aug 18 '11 at 22:40
@Burt - did you mean I should call `reauthenticate()` after the code I originally posted or instead of? I chose the latter. — Dónal, Aug 18 '11 at 23:25
No, I mean that since authentication works with the configured UserDetailsService and reauthenticate() calls that, it should also work. The unset property shouldn't come into play. — Burt Beckwith, Aug 19 '11 at 01:52

score 20 · Accepted Answer · edited Jan 17 '19 at 16:06

20

If the user exists in the database use springSecurityService.reauthenticate() - see this link for Grails 2 or this link for Grails 3.

This method is designed to update the authentication when a user change has made it out of sync with the database, but it's also useful for this scenario where you want to force a valid authentication for an existing user but don't know the password.

edited Jan 17 '19 at 16:06

Ivar

6,138
12
49
61

answered Aug 18 '11 at 21:37

Burt Beckwith

75,342
5
143
156

2

For Don's situation, this is a way better answer than mine. :) – Gregg Aug 18 '11 at 21:39
The old 1.x link is at http://grails-plugins.github.io/grails-spring-security-core/docs/manual.1273/guide/6%20Helper%20Classes.html#6.2%20SpringSecurityService and the new 2.x link is at http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/helperClasses.html#springSecurityService – Burt Beckwith May 03 '14 at 15:20
2

They have moved again: http://grails-plugins.github.io/grails-spring-security-core/guide/helperClasses.html#springSecurityService – Erik Pragt Jul 03 '14 at 08:06
1

The docs for the grails 3 plugin is here: http://grails-plugins.github.io/grails-spring-security-core/v3/index.html#springSecurityService – Roberto Perez Alcolea Sep 14 '16 at 17:27

Sergey Ponomarev · Answer 2 · 2019-05-16T08:54:21.640

1

The reauthenticate() method has two limitations:

It don't check password
It don't fire events. That's why a lot of plugins that listen events may not work. For example the brute force defender plugin.

edited May 16 '19 at 08:54

answered Oct 25 '13 at 00:48

Sergey Ponomarev

2,947
1
33
43

score 1 · Answer 3 · answered Aug 18 '11 at 21:20

Maybe this code snippit from a webapp I wrote will help. We had to auth users using a RESTful API and they provided a username and an API key..The key piece in this code is setting the authorities and the authenticated boolean.

class CustomAppTokenAuthenticationProvider implements AuthenticationProvider {

  def userDetailsService

  Authentication authenticate(Authentication customAuth) {
    def userDetails = userDetailsService.loadUserByUsername(customAuth.principal)
    def user = User.get(userDetails.id)
    if (user?.apiKey.equals(customAuth.credentials)) {
      customAuth.authorities = userDetails.authorities
      customAuth.authenticated = true
      return customAuth
    } else {
      return customAuth
    }
  }

  boolean supports(Class authentication) {
    return CustomAppTokenAuthentication.class.isAssignableFrom(authentication)
  }
}

And here is code from the filter that intercepts the API calls to handle the authentication

    def userId = request.getHeader("x-user-external-id")
    def apiKey = request.getHeader("x-user-api-key")
    if (userId && apiKey) {
      def user = User.findByExternalId(userId)

      def myAuth = new CustomAppTokenAuthentication(
              name: userId,
              credentials: apiKey,
              principal: user.username,
              authenticated: false
      )

      def auth = authenticationManager.authenticate(myAuth);
      if (auth?.authorities?.size() >= 0) {
        log.info "Successfully Authenticated ${userId} in object ${auth}"
        // Store to SecurityContextHolder
        SecurityContextHolder.getContext().setAuthentication(myAuth);
      } else {
        SecurityContextHolder.getContext().setAuthentication(null)
      }

login automatically with Grails Spring Security

Update

3 Answers3

Linked