Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthService.isUserInRole doesn't ensure grailsApplication.config.security.cas.bypass is a boolean #3

Open
sbearcsiro opened this issue Sep 11, 2014 · 2 comments
Open

AuthService.isUserInRole doesn't ensure grailsApplication.config.security.cas.bypass is a boolean #3

sbearcsiro opened this issue Sep 11, 2014 · 2 comments
Assignees
@nickdos

Comments

@sbearcsiro
Copy link
Contributor

The auth service doesn't check that the grailsApplication.config.security.cas.bypass property is a boolean. This causes the truthy value of the value to be used instead. Which means that adding this in an external properties file:

security.cas.bypass=false

In a config file will actually bypass the user in role check because "false" is true.
@nickdos nickdos self-assigned this Sep 12, 2014
@aruizca
Copy link
Contributor

aruizca commented Nov 11, 2014

I just run into this error. The problem is actually in the doWithWebDescriptor closure when configuring the filter initialization parameters:

                'init-param' {
                    'param-name' ('disableCAS')
                    'param-value' (Holders.config.security.cas.bypass == true ? 'true' : 'false')
                }

Holders.config.security.cas.bypass is a String, so it is always evaluated to false.

@aruizca
Copy link
Contributor

aruizca commented Nov 11, 2014

as @sbearcsiro says there is also a bug in AuthService.groovy
I will have a PR ready shortly

aruizca added a commit that referenced this issue Nov 11, 2014
@aruizca
- Fixes issue #3:
2d738fc 
- Fixes AuthService.groovy and AlaWebThemeGrailsPlugin.groovy from the fact that the security.cas.bypass parameter comes as a String and not a Boolean so it requires explicit casting to evaluate correctly in those cases that is set to true in the external config file.
- Version number bumped to 0.8.3-SNAPSHOT
- Makes Maven dependency resolution engine ,aether, to be used instead of Ivy which is know to not be very good
- Explicitly excludes servlet-api dependency from rest plugin
@aruizca aruizca mentioned this issue Nov 11, 2014
Merged
nickdos added a commit that referenced this issue Nov 20, 2014
@nickdos
Merge pull request #7 from AtlasOfLivingAustralia/disable-cas-fix
cb0a392 
- Fixes issue #3 and more
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nickdos nickdos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aruizca @nickdos @sbearcsiro