CODEWITHSUNDEEP
springgrails
Sherif
Sherif

Reputation: 93

Spring security grails plugin

I'm using Spring security grails plugin v2.0.0 RC5 in my grails application , but i noticed something , that while login to the application the username is not case sensitive for instance if you wrote user or USER both will login successfully. What i need to do is to make the username case sensitive.

i found the that isLoggedIn action in springSecurityService handling the login but i can't see anything in it any checking of the provided username or password.

here is the isLoggedIn code :

boolean isLoggedIn() {
    def authentication = SCH.context.authentication
    authentication && !authenticationTrustResolver.isAnonymous(authentication)
}

Am i searching the the right place ?

Upvotes: 0

Views: 123

Answers (2)

James Kleeh
James Kleeh

Reputation: 12238

There is a configuration property for that. https://grails-plugins.github.io/grails-spring-security-core/3.2.x/index.html#domainClassProperties

userLookup.usernameIgnoreCase

Upvotes: 1

Bhushan Uniyal
Bhushan Uniyal

Reputation: 5703

In my Grails app I'm using the Spring Security plugin and have defined a custom userDetailsService Spring bean in order to control how user and role data is retrieved, e.g.

class MyUserDetailsService implements GrailsUserDetailsService {

    /**
     * Some Spring Security classes (e.g. RoleHierarchyVoter) expect at least one role, so
     * we give a user with no granted roles this one which gets past that restriction but
     * doesn't grant anything.
     */
    static final List NO_ROLES = [new GrantedAuthorityImpl(SpringSecurityUtils.NO_ROLE)]

    UserDetails loadUserByUsername(String username, boolean loadRoles) {
        return loadUserByUsername(username)
    }

    UserDetails loadUserByUsername(String username) {
        User.withTransaction { status ->

            User user = User.findByUsername(username)
            if (!user && user.username.equal(username)) {
                throw new UsernameNotFoundException('User not found', username)
            }

            def authorities = user.authorities.collect {new GrantedAuthorityImpl(it.authority)}
            return new CustomUserDetails(
                    user.username,
                    user.password,
                    user.enabled,
                    !user.accountExpired,
                    !user.passwordExpired,
                    !user.accountLocked,
                    authorities ?: NO_ROLES,
                    user.id,
                    user.name)
        }
    }
}

Now you will see

**if (!user && user.username.equal(username)) {**

this will solve your problem. But here is another problem, your implementation also depends on your database because like MySQL is case insensitive, so if you search a user with name Joy then it will return all the user doesn't wich have name joy doesn't matter it is in capital letter or small letter. So you need check in database value before persisting new user. also, another problem is, if you will check the user domain 

 username blank: false, unique: true, email: true

username is unique, means you can't insert username joy again if Joy exists in db, so you need to change it and write your own custom logic to handle this problem.

Upvotes: 0

Related Questions