Grails Spring Security REST Getting 403 Forbidden

Question

I have a Grails app and I use Spring Security Plugin and the Spring Security REST Plugin as well. Normal login works well and I get a Token in the response if my credentials are correct. Now I want to access a controller and I do pass the token in the header but I get a 403 forbidden response. The Authentication works I guess because when I change the Token I get a 401 not authorized.

config.groovy

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'usermanagement.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'usermanagement.UserRole'
grails.plugin.springsecurity.authority.className = 'usermanagement.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/assets/**':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]
grails.plugin.springsecurity.filterChain.chainMap = [
    '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',  // Stateless chain
    '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                                                          // Traditional chain
]
grails.plugin.springsecurity.rest.login.active = true
grails.plugin.springsecurity.rest.login.endpointUrl = '/api/login'
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.usernamePropertyName = "username"
grails.plugin.springsecurity.rest.login.passwordPropertyName = "password"
grails.plugin.springsecurity.rest.logout.endpointUrl = '/api/logout'
grails.plugin.springsecurity.rest.token.validation.activated = true
grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'
grails.plugin.springsecurity.rest.token.storage.useGorm = true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'rest.auth.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'tokenValue'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'username'

DailyBookingRESTController.groovy

import grails.plugin.springsecurity.annotation.Secured

@Secured(['permitAll'])
class DailyBookingRESTController {

    def index() { 
        render "hi"
    }
}

urlMapping:

class UrlMappings {

    static mappings = {
        "/$controller/$action?/$id?(.$format)?"{
            constraints {
                // apply constraints here
            }
        }

        "/$controller/$action?/$id?(.$format)?"()
        "/"(view:"/index")
        "500"(view:'/error')
        "/api/dailyBookings"(resources: "dailyBookingREST")
    }
}

I appreciate any help!

I don't understand why i get a 403 Forbidden response instead getting a "hi" from my controller. — Roen
Something about my Spring Security REST settings must be wrong. Urlmapping works, if i deactivate all the security it works. — Roen
Add this rule to application.yml: '/**/**': ['permitAll'] — IgniteCoders

Roen Roen · Accepted Answer · 2015-05-13T17:10:58

Well as it turns out, the urlMapping is casesensitive and while i used the right url in my request when security was disabled but the wrong one when it wasn't.

Grails Spring Security REST Getting 403 Forbidden

2 Answers