Grails Spring Security Static Rules

4
votes

I want all users to be authenticated before accessing my application. Following is the setting in Config.groovy:

grails.plugin.springsecurity.controllerAnnotations.staticRules=[
    "/**": ["ROLE_ADMIN"],
    "/login/auth": ["permitAll"]
]

The reason I put "/login/auth": ["permitAll"] is that any user can have a chance to log in and be authenticated. However, when I access http://localhost:8080/myapp/, it redirects to http://localhost:8080/myapp/login/auth and throws the error: The page isn't redirecting properly. Can you please advise what mistake I have committed here?

3
springgrailsspring-security
Take a look at @monksy 's reply - this I think is the correct solution if you want to use the Secured annotation.homaxto

3 Answers

5
votes

For first you must say to spring security what type of mapping you will be use.

grails.plugins.springsecurity.securityConfigType = 'InterceptUrlMap'

For second 'permitAll' changed to 'IS_AUTHENTICATED_ANONYMOUSLY' And for third, if spring security find /** he didn't see another under this line. So your code must be like this: 

grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
grails.plugins.springsecurity.interceptUrlMap = [
"/login/auth": ["permitAll"],
 "/**": ["ROLE_ADMIN"]
]
2
votes

TrongBang and Koloritnij are on the right track. But they're not completely correct in the context of your question. They're suggesting that you switch to a different authentication setup. (Which that will work but it doesn't solve the problem in the context of your setup.)

If you wish to keep the annotations, you're going to have to call out the controller that OAuth uses.

‘/springSecurityOAuth/**’: [‘permitAll’]

The plugin maps that controller path, but the static rules still interprets the controller and methods from that. This took some digging for me to find this out. I had your same issue, and I blogged about this (and it includes some of the details about how the Spring Security Oauth plugin works.

http://theexceptioncatcher.com/blog/2015/04/spring-security-oauth-the-missing-instructions/

0
votes

The solution from Koloritnij is correct. However, it threw the following error when using SecurityConfigType.InterceptUrlMap:

ERROR: the 'securityConfigType' property must be one of
'Annotation', 'Requestmap', or 'InterceptUrlMap' or left unspecified
to default to 'Annotation'; setting value to 'Annotation'

I have changed it to 'InterceptUrlMap' only and it worked:

grails.plugins.springsecurity.securityConfigType = 'InterceptUrlMap'
grails.plugins.springsecurity.interceptUrlMap = [
    "/login/auth": ["permitAll"],
    "/**": ["ROLE_ADMIN"]
]