on a grails 2.4.3 project I'm using Spring Security Core plugin (2.0RC4) and another plugin call Feature Flipping.
All my controller are correctly secured and authentication is working without any problems.
The "Feature flipping" plugin expose a /admin/feature URI which allows user to switch through web.
I tried to configure static rules to permit only ROLE_ADMIN users to access this resource, but I'm still getting "Access denied" errors.
Any ideas ?
My staticRules:
'/admin/**': ['ROLE_ADMIN']
SpringSecurity debug log:
2014-10-28 17:15:47,805 [http-bio-8080-exec-4] DEBUG matcher.AntPathRequestMatcher - Request '/admin/features' matched by universal pattern '/**'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@2116e65: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2116e65: Principal: [REDACTED].security.UserDetails@f9520f8b: Username: pygillier; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 7FF242941B7F95FD17E97D8611B3A5CF; Granted Authorities: ROLE_ADMIN, ROLE_USER'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 5 of 8 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 6 of 8 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-10-28 17:15:47,807 [http-bio-8080-exec-4] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/features; Attributes: [_DENY_]
_DENY_. What is your configuration setting forsecurityConfigType? If you have none, the plugin will default to annotations, not the static rule map. You will need to specify that you would like to use the map. – rmlansecurityConfigType.Annotation(the default) – Pierre-Yves Gillier