grails spring-security plugin secures all controllers instead of just ones with @Secured annotation

Question

I'm following the tutorials to use springsecurity authentication plugin. I am using grails version 2.3.8 and spring-security-core:2.0-RC2. It worked as expected to create the HelloWorld controller with the Secured annotation:

package basicauthdemo
import grails.plugin.springsecurity.annotation.Secured

class HelloController {
    @Secured(['ROLE_USER'])
    def index() {
    render "Hello World"
    }
}

and then be presented with a login screen.

My question is that when I created another controller without the @Secured annotation. I still get the login screen when navigating to that controller. Spring security is now in charge of all access to my controllers as I can see from the filter-mapping in the generated web.xml:

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>ERROR</dispatcher>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>

How to tell the plugin to allow open access to some controllers and not others? I thought that this would be determined by presence of @Secured annotation but that only defines the role with permissions for the controller.

Joshua Moore Joshua Moore · Accepted Answer · 2014-11-30T20:43:27

According to the documentation for Spring Security Core plugin the default behavior is pessimistic lockdown

... then any URL that has no request mappings (an annotation, entry in controllerAnnotations.staticRules or interceptUrlMap, or a Requestmap instance) will be denied to all users.

I highly recommend reading that particular section of the documentation to see how to configure the plugin for your use. Typically this will be modifying the default value of rejectIfNoRule and configuring the appropriate staticRules.

grails spring-security plugin secures all controllers instead of just ones with @Secured annotation

1 Answers