So I've got a standard grails 2.2.1 app using spring-security-core:1.2.7.3. I've a custom filter that validates a password to a restricted part of the application.
If i hit another restricted URL I can see the spring filter chain throwing the following exception
Secure object: FilterInvocation: URL: /list; Attributes: [ROLE_USER]
which is correct if the user is not logged in as they dont have the role assigned as yet. Other filters i.e. the /landing URL's are restricting access. However, this does not get thrown when a user hits the URL
/press/meta
The application is configured as so;
Config.groovy
grails.plugins.springsecurity.interceptUrlMap = [
'/landing/**': ['ROLE_USER','ROLE_ADMIN'],
'/press/**': ['ROLE_USER','ROLE_ADMIN'],
'/list/**': ['ROLE_USER'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
UrlMappings.groovy
"/$controller/$action?/$id?"{
constraints {
// apply constraints here
}
}
"/press/meta" ( view:"/meta/index" )
All my controllers and app functionality is working as expected but when I hit the URL
http://localhost:8080/WebSite/press/meta?pass=password1
It does not restrict access, even if the user is NOT logged in. But the custom filter validates the password and if correct will allow the user to continue. The filter returns true/false if the password is create.
The log looks like the following;
06,02 18:41:51:097 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/press/meta'; to: '/press/meta'
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/press/meta'; pattern is /**; matched=true
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?pass=password at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
06,02 18:41:51:101 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06,02 18:41:51:115 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Public object - authentication not attempted
06,02 18:41:51:116 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 reached end of additional filter chain; proceeding with original chain
06,02 18:41:51:151 [http-bio-8080-exec-1] DEBUG portal.AdminFilters - Admin secret matched, proceeding
06,02 18:41:51:553 [http-bio-8080-exec-1] DEBUG access.ExceptionTranslationFilter - Chain processed normally
I'm trying to figure out whats the best practice here, either do some spring security logic in the custom filter and if the user does not have the correct role throw an exception but I'd rather have the config.groovy manage this!
Any help or advice is appreciated.
J
