Comments on: Basic Authentication and Grails

By: Sebastian

Sebastian — Fri, 25 Mar 2011 13:56:02 +0000

Thanks for the tip. One small bug in Romains code:

if(!ValidationUtil.validate(request,response, log, grailsApplication)){ render(text: "User not known.") return } }

must read

if(!ValidationUtil.validate(request,response, log, grailsApplication)){ render(text: "User not known.") return false } }

in order to prevent execution of the action if the user is not logged in.

By: Romain

Romain — Thu, 24 Feb 2011 10:31:19 +0000

I changed you code in order to log with a login and password in the configuration file.

I also add the WWW-Authenticate in order to respect the standard :
response.addHeader("WWW-Authenticate", "Basic realm=\"Secure Area\"")
class SecurityFilters { def grailsApplication def filters = { basicAuth(controller: 'prospect', action: '*') { before = { if(!ValidationUtil.validate(request,response, log, grailsApplication)){ render(text: "User not known.") return } } }


        basicAuth(controller: 'hash', action: '*') {

            before = {

                if(!ValidationUtil.validate(request,response, log, grailsApplication)){

                  render(text: "User not known.")

                  return

                }

            }

        }
    }

}
/**

 * Basic Authentication

 * return false if login failed, and true if login is successful

 *

 * The HTTP status code and the HTTP header of the response are set as this :

 *

 * "Authorization" not present in the header of the request :

 *  - status : 401

 *  - add hedaer : WWW-Authenticate: Basic realm="Secure Area"

 *

 *  "Authorization" present, but bad login / password

 *  - status : 403

 *

 */

class ValidationUtil{

    static validate(def request, def response, def log, def grailsApplication){

            try {

                def authString = request.getHeader('Authorization')

                if (!authString) {

                    response.status = 401

                    response.addHeader("WWW-Authenticate", "Basic realm=\"Secure Area\"")

                    return false

                }

                def encodedPair = authString - 'Basic '

                def decodedPair = new String(new sun.misc.BASE64Decoder().decodeBuffer(encodedPair));

                def credentials = decodedPair.split(':')

                def login = grailsApplication.config.admin.security.login

                def password = grailsApplication.config.admin.security.password

if (login.equals(credentials[0]) && password.equals(credentials[1])) { return true } else { log.warn("User not known") response.status = 403 return false } } catch (Exception e) { log.warn("User not known", e) response.status = 403 return false } } }

By: Building Blocks » Grails: Ajax Login using Basic Auth

Building Blocks » Grails: Ajax Login using Basic Auth — Tue, 07 Apr 2009 19:07:08 +0000

[...] you want. If you want a simple solution and stick with the HTTP standard you could use Basic auth. Here is a good explaination of how to implement Basic auth for Grails. Another way is too use a cookie to hold authorization [...]

By: a walking city » Blog Archive » OpenID and Grails

a walking city » Blog Archive » OpenID and Grails — Thu, 20 Mar 2008 23:51:17 +0000

[...] Our final step is to set up an Authentication filter like the one we made for basic authentication . The only difference is that we have a number of controller actions that we want to allow to pass [...]