grails spring security rest /api/login 401 Unauthorized

2
votes

I have configured a Grails(2.3.7) app using spring-security-core:2.0.0 + spring-security-rest:1.4.1 plugins in order to have two auth types, a statefull auth for web and one for mobile using tokens(stateless). All good, basic http auth is working well. Trying to get authenticated using POSTMAN rest client to http://localhost:8080/api/login having username and password in the request payload i get 401 Unauthorized , I'm not able to understand why?What is missing from below configuration? Any help is highly appreciated. I tried as well with spring-security-rest:1.5.0 but i got the same result, 401.

BuildConfig.groovy

 plugins {
   ...
    compile ":spring-security-core:2.0.0"
    compile ":spring-security-rest:1.4.1", {
        excludes ('spring-security-core')
    }
...
}

Config.groovy

   / Added by the Spring Security Core plugin:
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/general'
grails.plugin.springsecurity.userLookup.userDomainClassName = 'org.sali.Users.SecUser'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'org.sali.Users.SecUserSecRole'
grails.plugin.springsecurity.authority.className = 'org.sali.Users.SecRole'
grails.plugin.springsecurity.securityConfigType = "Annotation"

grails.plugin.springsecurity.roleHierarchy = '''
    ROLE_ADMIN > ROLE_OPERATOR
'''
grails.plugin.springsecurity.useSwitchUserFilter = true

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        '/j_spring_security_switch_user': ['permitAll'],
        '/api/**': ['permitAll']
]


grails.plugin.springsecurity.filterChain.chainMap = [
        //'/api/**': 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter',// Stateless chain
        '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter',                                          // Traditional chain
]
//gorm
grails.plugin.springsecurity.rest.token.storage.useGorm = true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'org.sali.Rest.AuthenticationToken'
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'token'
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'username'


//login
grails.plugin.springsecurity.rest.login.active=true
grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
grails.plugin.springsecurity.rest.login.usernamePropertyName = 'username'
grails.plugin.springsecurity.rest.login.passwordPropertyName='password'
grails.plugin.springsecurity.rest.login.endpointUrl='/api/login'
grails.plugin.springsecurity.rest.login.useRequestParamsCredentials = false

//logout
grails.plugin.springsecurity.rest.logout.endpointUrl='/api/logout'

//token generation
grails.plugin.springsecurity.rest.token.generation.useUUID=false
grails.plugin.springsecurity.rest.token.generation.useSecureRandom=true

//token rendering
grails.plugin.springsecurity.rest.token.rendering.usernamePropertyName='username'
grails.plugin.springsecurity.rest.token.rendering.authoritiesPropertyName='roles'
grails.plugin.springsecurity.rest.token.rendering.tokenPropertyName='token'

//token validate
grails.plugin.springsecurity.rest.token.validation.useBearerToken = true

//if disable 'Bearer', you can configure a custom header.
//grails.plugin.springsecurity.rest.token.validation.useBearerToken = false
//grails.plugin.springsecurity.rest.token.rendering.tokenPropertyName   access_token
//grails.plugin.springsecurity.rest.token.validation.headerName = 'x-auth-token'
grails.plugin.springsecurity.rest.token.validation.active=true
grails.plugin.springsecurity.rest.token.validation.endpointUrl='/api/validate'



//grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'
//grails.plugin.springsecurity.rest.token.validation.useBearerToken = false

//grails.plugin.springsecurity.password.algorithm = 'SHA-256'
//grails.plugin.springsecurity.password.hash.iterations = 1

//cors

cors.enabled=true
cors.url.pattern = '/api/*'
cors.headers=[
        'Access-Control-Allow-Origin': '*',
        'Access-Control-Allow-Credentials': true,
        'Access-Control-Allow-Headers': 'origin, authorization, accept, content-type, x-requested-with,X-Auth-Token',
        'Access-Control-Allow-Methods': 'GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS',
        'Access-Control-Max-Age': 3600
]

UrlMappings.groovy

class UrlMappings {

    static mappings = {
        "/$controller/$action?/$id?"{
            constraints {
                // apply constraints here
            }
        }

        "/"(controller: "login")
        "404"(view:'/error')
        "405"(view:'/error')
        "500"(view:'/error')
        "/login/$action?"(controller: "login")
        "/logout/$action?"(controller: "logout")

    }
}

Any ideas are very welcomed. Thx

2
grailsspring-securitygrails-pluginhttp-status-code-401spring-rest
I think first you should put a breakpoint in your controller to check if the request actually reached there or not.Ankit Agrawal
What controller do you mean?As I know spring security rest plugin expose himself this /api/login for auth. Even if i put a breakpoint, as you said, it will not be reached.user226578
Your configuration seems to be correct. If I am not wrong, in case the login fails, server is going to respond with a 401 error code due to this configuration - grails.plugin.springsecurity.rest.login.failureStatusCode = 401 . Break point's idea was to confirm that request reached to the backend code and there is nothing wrong with the filters for that particular url.Ankit Agrawal
It would also be useful if you enable logs for grails.plugin.springsecurity and org.springframework. This link would help you to enable logs.Ankit Agrawal
that's a good idea. i'm just wondering...the 401 could be caused by the filters from chainMap, should i add something in UrlMappings in order to expose and enable the /api/login? I'm sure I'm missing something in configuration.user226578

2 Answers

0
votes

After adding these in Config.groovy in worked:

grails.plugin.springsecurity.password.algorithm = 'SHA-256'
grails.plugin.springsecurity.password.hash.iterations = 1
0
votes

If someone else still looking for a solution to this, and tried the rules with no luck, check if the classes are correct:

grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.site.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.site.UserRole'
grails.plugin.springsecurity.authority.className = 'com.site.Role'

In my case, I had the class com.site.User and I had set up com.site.user.User, which generated this problem!

Ref: https://github.com/alvarosanchez/grails-spring-security-rest/issues/181#issuecomment-82260495