grails spring security core plugin not working

Question

I am trying to spring security plugin 3.2.1 for grails 3.3.5.

Below is my static rules in application groovy

[pattern: '/error',          access: ['permitAll']],
[pattern: '/index',          access: ['permitAll']],
[pattern: '/index.gsp',      access: ['permitAll']],
[pattern: '/shutdown',       access: ['permitAll']],
[pattern: '/assets/**',      access: ['permitAll']],
[pattern: '/fonts/**',      access: ['permitAll']],
[pattern: '/**/js/**',       access: ['permitAll']],
[pattern: '/**/css/**',      access: ['permitAll']],
[pattern: '/**/images/**',   access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/user/**', access: 'ROLE_USER'],
[pattern: '/admin/**', access:['ROLE_ADMIN','isFullyAuthenticated()']],
[pattern: '/inputParam/chipInput/', access: 'isAuthenticated()',httpMethod: 'PUT']



grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**',      filters: 'none'],
[pattern: '/**/js/**',       filters: 'none'],
[pattern: '/**/css/**',      filters: 'none'],
[pattern: '/**/images/**',   filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none']

but it still allows user and /inputParam/chipInput/ page without login . I have secured annotations @Secured('ROLE_USER') already in both the controllers. What am I doing wrong?

try using [pattern: '/inputParam/chipInput/', access:'ROLE_USER'] — elixir
so I have "/" { controller = "InputParam" action = "main" } mapping in urlMAPPING FILE ..does that affect the mappings in here — SnehalP

Ian Stride Ian Stride · Accepted Answer · 2018-05-24T23:30:53

It seems to me that the pattern may not be correct and/or the access expression is incorrect. Try changing your rule to:

[pattern: '/inputParam/chipInput', access: ["isAuthenticated() and request.getMethod().equals('PUT')"]

See the section on expressions in Grails Spring Security Core docs.

grails spring security core plugin not working

1 Answers