Grails Spring Security plugin and GSP tags not working

1
votes

I am new to Grails, so probably I am making something wrong, but maybe you can help me to figure it out. So I have this simple Grails application with Spring Security plugin working fine I think. The problem is, that on GSP page Spring Security tags are not showing information I am expecting, example scenario:

  1. I have /basket/placeOrder endpoint secured, so when I hit it from browser it shows me login page.

  2. I log in using correct credentials, and it forwards me to expected page (so looks like authentication is successful)

  3. When in one of my controllers I use println springSecurityService.currentUser.email it prints correct data on the console.

  4. But Then I try to use on GSP for example:

    < sec:ifNotLoggedIn> NOT LOGGED < /sec:ifNotLoggedIn>

    It shows NOT LOGGED. Same if I try to retrieve some user info using for example <sec:loggedInUserInfo field="email" /> it doesn't show any string. Just like Spring Security is not bind with GSP.

I am doing something wrong? Missing some configuration? Thanks.

EDIT

When I looked into SecurityTagLib ifNotLoggedIn function it uses springSecurityService.isLoggedIn(). When I call the same from controller it returns expected result. When I print session in both controller and GSP, it is all the same:

SPRING_SECURITY_CONTEXT = org.springframework.security.core.context.SecurityContextImpl@46b66c80: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@46b66c80: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@611913a: Username: kamil; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@43458: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: AAB2217ABEE7EAF752573D44914B0005; Granted Authorities: ROLE_ADMIN

I managed to run my app on debug, and it gets even more weird. First my breakpoint on controller showed SpringSecurityService object and it has value currentUser set properly. Then, the same request still processing hit my breakpoint set in SecurityTagLib (grails is just following flow controller->rendering) which has THE SAME SpringSecurityService object (which means it is the same bean, no duplicate etc.) but it is just missing all user data. Weird!

Something must be wrong, but have no idea what...

1
grailsspring-securitygsp

1 Answers

1
votes

Let me answer my own question, because I found what the issue was. If everything in code (eyes and debugger) looked fine, I started checking my config because it was the only place that could cause some unexpected issues like this and it was a bullseye. I started wondering if spring security filters defined in application.groovy were not causing those issues and it came out that it was the case.

I was using @Secured annotation for one of the actions (secured ROLE_ADMIN) in controller which when called were redirecting to some other action (filter 'none' in app config). When I removed filters from config and used annotation (@Secured(['permitAll'] for paths which were previously configured in app config with filter 'none') it magicaly started working. I don't have enough experience in Grails and Spring Security plugin, so I don't know exactly why it was causing issues, so if anyone has any clue what the exact issue is - please share. I am only assuming that mixing app config filters and annotations didn't work for me in that case.