The purpose of this assignment is to introduce you to authentication in websites. In particular, you will learn about:<\/p>\n\n\n\n
We will use the Spring Security Core plugin with an additional plugin, the Spring Security UI plugin. The Spring Security Core authenticates users and control access to pages. The Spring Security UI provides convenient UI for controlling access and users. It also uses the mail plugin during the registration and reset forgotten passwords. The documentation for the plugins are at:<\/p>\n\n\n\n
To install plugins, all you need to do is to list them in build.gradle file (found at the root of the project files). Near the bottom of the build.gradle file, you should see a long list of dependencies<\/strong>. Cut and paste into this dependencies list the declarations below:<\/p>\n\n\n\n If you stop and start your app now, you will not get what you expect. The browser will be redirected to the login screen (with bad\/broken styling). We need to setup Spring Security Core.<\/p>\n\n\n\n Run the Grails command at the project root directory using a Bash terminal<\/p>\n\n\n\n The script creates 3 domain classes, User.groovy, Role.groovy and UserRole.groovy. It also creates a application.groovy file in grails-app\/conf\/ directory. You may need to reload the project files into IntelliJ IDEA by clicking the “refresh” arrows in the toolbar. Read the tutorial in the Spring Security documentation to learn more:<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/core-plugin\/guide\/#tutorials<\/a><\/p>\n\n\n\n If you read the first part of the tutorial, you notice that we should add<\/p>\n\n\n\n to the bottom of the conf\/application.groovy file. This makes logout easy. During debugging your web app, you can logout by clicking the logout controller in the control list page.<\/p>\n\n\n\n We can add some users and roles to the Bootstrap.groovy file. Cut and paste the code below into init\/Bootstrap.groovy init closure.<\/p>\n\n\n\n If you do not have the package specification, you may have to import the User, Role and UserRole, click on the offending class name, then hit alt-enter, finally select import. Also be sure to import The code makes two roles and two users, one a regular user and the other an admin user.<\/p>\n\n\n\n Rerun your web app. If you navigate away from the home page, you’ll be prompted with a log in screen. You can log in and see the home page, but you cannot navigate to any other pages because neither Admin or User roles are authorize to see any pages yet. Spring Security set pessimistic locking by default:<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/core-plugin\/guide\/#pessimistic-lockdown<\/a><\/p>\n\n\n\n There are basically two methods for setting up access, either using the Request Mapping or annotating the controller or action. Read the Spring Security documentation about Request Mappings<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/core-plugin\/guide\/#requestMappings<\/a><\/p>\n\n\n\n We use static mapping for the public views.<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/core-plugin\/guide\/#configGroovyMap<\/a><\/p>\n\n\n\n Add these static rules to the grails.plugin.springsecurity.controllerAnnotations.staticRules map at the bottom of the conf\/application.groovy file.<\/p>\n\n\n\n Do not forget to add a comma to the end of the prior list. But I have noticed that groovy parser does not mind if the last item in a list has a comma, so I leave it with a comma at the end, making it easy to add more rules.<\/p>\n\n\n\n The first two rules grants public to access to all of the books and authors views. The last two rule restrict access to the controllerList and author views to admin users.<\/p>\n\n\n\n Rerun the grails app. Working through the programming assignment this year, I noticed a new error after adding new static rules to the application.groovy. <\/p>\n\n\n\n To fix the this error you need to rebuild the project from scratch. To do this, enter<\/p>\n\n\n\n Then run the app. It should now build and run. <\/p>\n\n\n\n Open the app in your browser. Now you can view the home and books index views. To view the controller list you’ll need to login as admin. You still can not access the book views.<\/p>\n\n\n\n If you try access a page that you do not have authorization to view Spring Security will confront you with a login page. After logging in, Spring Security should redirect you to the page that you tried to access. This does not happen all the time (I’m not sure why) and the browser remains on the login page. If this happens, you can navigate to page using the browser’s back arrow. <\/p>\n\n\n\n Read about annotating controller actions at<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/core-plugin\/guide\/#securedAnnotations<\/a><\/p>\n\n\n\n Now, you try annotating the Book controller methods. Add the annotation just above the class definition.<\/p>\n\n\n\n You also need to add the import to the top of the class.<\/p>\n\n\n\n Stop and start your web app. Notice that you can view the the home page, Books and Authors index actions without logging in, but you cannot access the Author or Book actions without encountering the login screen.<\/p>\n\n\n\n Generally, you do not want to mix the two techniques. I prefer to use the static rules instead of the annotation for two reasons. First, you can see all the rules at once in application.groovy. Second, you can control access to code you did not write, for example a plugin, without modify the plugin code.<\/p>\n\n\n\n The Spring Security UI plugin provides admin user and role controllers and views, so that the admin can perform common tasks such as adding users and roles. Also Spring Security UI provides views for displaying security information.<\/p>\n\n\n\n At the start page you’ll notice that Spring Security UI plugin has added many controllers. At the bottom of the list is the grails.plugin.springsecurity.ui.UserControler. If you click on the link you will be confronted with the login screen. You can login as admin, but that will not give you access to the view.<\/p>\n\n\n\n In the conf\/applictaion.groovy, add to the bottom of the staticRules the entries:<\/p>\n\n\n\n We also add the finally rule to let anyone logout.<\/p>\n\n\n\n You will need to restart the grails app. Login as admin, you should see the User Management Search page.<\/p>\n\n\n\n Read about the Spring Security UI controllers and views in the documentation:<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/ui-plugin\/guide<\/a><\/p>\n\n\n\n Spring Security UI is a good tool for learning about Spring Security, so explore all the features of the backend. You can access them from the menu bar at the top of the page.<\/p>\n\n\n\n Spring Security UI has many configurations and techniques to customize. You should reread the documentation, especially the “Customization” section if you use it for your team project application. <\/p>\n\n\n\n In this step you will add login and out links to the navbar. You can also have the navbar identifiy the person logged in.<\/p>\n\n\n\n Read the chapter on Helper Classes in the Spring Security Core plugin documentation. In particular read about the Security Tag Library:<\/p>\n\n\n\n https:\/\/apache.github.io\/grails-spring-security\/latest\/core-plugin\/guide\/#securityTagLib<\/a><\/p>\n\n\n\n You will use the <sec:ifLoggedIn>, <sec:ifNotLoggedIn> and <sec:username> tags in the navbar.<\/p>\n\n\n\n Add the following code to _navbar.gsp below the other links for the menu:<\/p>\n\n\n\n Restart the app, and try out the new menu items.<\/p>\n\n\n\n Notice that after logging in the user name appears in the navbar. The link could be used to send the user to their profile page.<\/p>\n\n\n\n The AJAX is a technique to create dynamic effects in a view without loading a new page. The basic idea is that a request is sent to the server but the response is returned to the same page instead of loading a new page. In this way, only a portion of the page needs to load rather than the complete page.<\/p>\n\n\n\n AJAX uses JavaScript, so you’ll want to study JavaScript. A good resource is W3 Schools.<\/p>\n\n\n\n http:\/\/www.w3schools.com\/js\/default.asp<\/a><\/p>\n\n\n\n An more complete resource is at the Mozilla Developer Network.<\/p>\n\n\n\n https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/JavaScript<\/a><\/p>\n\n\n\n Most of the language should be familiar to you. But there are some aspects that you should study.<\/p>\n\n\n\n For the most part, you will be writing functions for event handlers. You should read about javascript functions:<\/p>\n\n\n\n A major purpose of javascript is to manipulate the web page. Javascript’s models the web page as a Document Object Model (DOM). Read the chapters about the DOM.<\/p>\n\n\n\n These tutorials are very short, so they will not take long to read. Be sure to try the examples so that you understand each concept.<\/p>\n\n\n\n JQuery is a JavaScript library that simplifies using JavaScript. We will be using JQuery, so you will want to study it. A good resource for JQuery is W3 Schools.<\/p>\n\n\n\n http:\/\/www.w3schools.com\/jquery\/default.asp<\/a><\/p>\n\n\n\n Be sure to study the introductory chapters about jQuery:<\/p>\n\n\n\n Also be sure to study the use of AJAX in jQuery:<\/p>\n\n\n\n More resources are available at the jQuery Learning Center.<\/p>\n\n\n\n https:\/\/learn.jquery.com\/<\/a> <\/p>\n\n\n\n After reading the above, you should be prepared to understand the code that we’ll add to our web app.<\/p>\n\n\n\n Now, we’ll make a very simple ajax code in the home view. We’ll add a link to the home view to show the current date and time.<\/p>\n\n\n\n In the views\/index.gsp file, add the link and result div to the home\/index.gsp by adding the code below in the body of the view just below the jumbotron div.<\/p>\n\n\n\n You should notice that the “Show the time!” link will call the showTime action in the Home controller, so we should make that controller and action.<\/p>\n\n\n\n We need place to run the server code. Typically, we would use the controller for the view, but currently the home page does not have a controller associated with it. Note that the g:link already specifies a Home controller. Make a new controller call it Home. After Grails has generated the controller, add a showTime method to the home controller by cutting and pasting the code below.<\/p>\n\n\n\n You also need to grant the public access to home controller. In application.groovy add the following static rules:<\/p>\n\n\n\n You’ll have to clean the project before rerunning Grails. Rerun the Grail and try the link in the browser. It should take you to a new page showing the time.<\/p>\n\n\n\n But, that is not what we want. We would like for the date and time to show on the same home page. We need to add some JavaScript.<\/p>\n\n\n\n In grails-app\/assets\/javascrips\/ directory, make showTime.js file. Then cut and paste the code below into the file.<\/p>\n\n\n\n Note that you need the “return false” to prevent the normal behavior, the link navigating to a new page. <\/p>\n\n\n\n You might wonder how the showTime.js file is added to the page<\/p>\n\n\n\n In the \/views\/layout\/site.gsp, the other asset tag at the bottom of the page tells asset-pipeline to source the application.js.<\/p>\n\n\n\n Inspect the grails-app\/asset\/javascript\/application.js file, add above “\/\/= require self” the directive:<\/p>\n\n\n\n which will include all the JavaScript files in the directory.<\/p>\n\n\n\n The asset pipeline\u00a0does much more, especially in the production environment. The plugin code is at <\/p>\n\n\n\ndependencies {\n ...\n \/\/ Add for Spring Security\n \/\/ implementation \"org.grails.plugins:spring-security-core:5.1.0\" \/\/ Do not need. Spring Security UI dependencies will add\n implementation 'org.grails.plugins:spring-security-ui:4.0.0-RC1'\n \/\/ implementation 'org.grails.plugins:mail:2.0.0' \/\/ Does not work using Java 11. Also don't have to use.\n}<\/pre>\n\n\n\nStep 2: Setup Spring Security Core.<\/h1>\n\n\n\n
1. Run S2 Quick Start script.<\/h2>\n\n\n\n
.\/grailsw s2-quickstart cs4760progassign User Role<\/pre>\n\n\n\n
grails.plugin.springsecurity.logout.postOnly = false<\/pre>\n\n\n\n
2. Make Role and Users in Bootstrap.groovy<\/h2>\n\n\n\n
package cs4760progassign\n\nimport grails.gorm.transactions.Transactional\n\nclass BootStrap {\n\n @Transactional\n void addUsers() {\n \/\/ Add for creating Roles and Users\n def adminRole= new Role(authority: 'ROLE_ADMIN').save(flush: true)\n def userRole = new Role(authority: 'ROLE_USER').save(flush: true)\n\n def testAdmin = new User(username: 'admin', password: 'password')\n testAdmin.save(flush: true)\n\n def testUser = new User(username: 'user', password: 'password')\n testUser.save(flush: true)\n\n UserRole.create testAdmin, adminRole, true\n UserRole.create testUser, userRole, true\n UserRole.withSession {\n it.flush()\n it.clear()\n }\n }\n\n def init = { servletContext ->\n addUsers()\n ...\n }\n\n def destroy = {\n }\n\n}<\/pre>\n\n\n\ngrails.gorm.transactions.Transactional<\/code> and to annotate the addUsers <\/code>method with @Transactonal<\/code>. Do not forget to call addUsers <\/code>in the init <\/code>method. <\/p>\n\n\n\nStep 3: Setup Access to Views<\/h1>\n\n\n\n
1. Add Static Rules<\/h2>\n\n\n\n
grails.plugin.springsecurity.controllerAnnotations.staticRules = [\n ...\n [pattern: '\/books\/**', access: ['permitAll']],\n [pattern: '\/authors\/**', access: ['permitAll']],\n\n [pattern: '\/controllerList\/**', access: ['ROLE_ADMIN']],\n [pattern: '\/author\/**', access: ['ROLE_ADMIN']],\n]<\/pre>\n\n\n\n
FAILURE: Build failed with an exception.\n\nWhat went wrong:\nExecution failed for task ':findMainClass'.\nUnable to find a single main class from the following candidates [application, cs4760progassign.Application]<\/span><\/pre>\n\n\n\n.\/gradlew clean<\/pre>\n\n\n\n
2. Add Annotation to BookController<\/h2>\n\n\n\n
@Secured(['ROLE_ADMIN'])\nclass BookController {\n...\n}<\/pre>\n\n\n\nimport grails.plugin.springsecurity.annotation.Secured<\/pre>\n\n\n\n
Step 4: Spring Security UI<\/h1>\n\n\n\n
1. Accessing User-Role Backend<\/h2>\n\n\n\n
[pattern: '\/user\/**', access: ['ROLE_ADMIN']],\n[pattern: '\/role\/**', access: ['ROLE_ADMIN']],\n[pattern: '\/registrationCode\/**', access: ['ROLE_ADMIN']],\n[pattern: '\/securityInfo\/**', access: ['ROLE_ADMIN']],\n[pattern: '\/logout\/**', access: ['permitAll']],<\/pre>\n\n\n\n
2. Explore User-Role Backend<\/h2>\n\n\n\n
Step 5: Add login\/logout to Navbar<\/h1>\n\n\n\n
<sec:ifLoggedIn>\n <li class=\"nav-item\">\n <a class=\"nav-link\" href=\"#\"><sec:username\/><\/a>\n <\/li>\n<\/sec:ifLoggedIn>\n<li class=\"nav-item\">\n <sec:ifLoggedIn><g:link class=\"nav-link\" controller=\"Logout\">log out<\/g:link><\/sec:ifLoggedIn>\n <sec:ifNotLoggedIn><g:link class=\"nav-link\" controller=\"login\" action=\"auth\">Login<\/g:link><\/sec:ifNotLoggedIn>\n<\/li><\/pre>\n\n\n\n
<sec:ifLoggedIn><\/code>, <sec:ifNotLoggedIn><\/code> and < sec:username\/><\/code> tags are accessing session parameters. I’ll speak more about session parameters in a lecture.<\/p>\n\n\n\nStep 6: Study AJAX<\/h1>\n\n\n\n
1. Study JavaScript<\/h2>\n\n\n\n
\n
\n
2. Study JQuery<\/h2>\n\n\n\n
\n
\n
Step 7: Make a Simple AJAX Call<\/h1>\n\n\n\n
1. Edit index.gsp<\/h2>\n\n\n\n
<!-- Simple Ajax link to show time -->\n<g:link controller=\"home\" action=\"showTime\" elementId=\"timeLink\">Show the time!<\/g:link>\n<div id=\"time\"> time <\/div><\/pre>\n\n\n\n
2. Add the Server Code<\/h2>\n\n\n\n
private static final boolean debugTime = true \/\/flag for debug printing \n\ndef showTime() {\n if(debugTime)println \"In showTime\"\n render \"The time is ${new Date()}\"\n}<\/pre>\n\n\n\n[pattern: '\/home\/**', access: ['permitAll']],<\/pre>\n\n\n\n
4. Add JavaScript<\/h2>\n\n\n\n
console.log(\"Hello showtime\");\n$(document).ready( function(){\n $('#timeLink').click(function(){\n console.log(\"showtime click function\");\n $('#time').load(this.href); \n return false;\n });\n});\n<\/pre>\n\n\n\n<asset:javascript src=\"application.js\"\/><\/pre>\n\n\n\n
\/\/= require_tree .\n\/\/= require_self<\/pre>\n\n\n\n