CODEWITHSUNDEEP
springrestgrails
Ankit Gupta
Ankit Gupta

Reputation: 2599

grails spring security rest plugin how to skip url from authentication

I am using spring security rest plugin as well as core in my grails app,i want to have some calls those can be accessed without authentication and for this i am adding @Secured('permitAll') on action but it is not working,it is still asking for token. I have also tried '/api/getdata': ['permitAll'] in config.groovy,but no result!!!

Upvotes: 1

Views: 1658

Answers (2)

Carlos Alberto Schneider
Carlos Alberto Schneider

Reputation: 5195

You need to add the anonymous filter to your filter chain. If you followed the grails spring security rest configuration tutorial you probably got the following code:

grails.plugin.springsecurity.filterChain.chainMap = [
    //Stateless chain
    [
        pattern: '/**',
        filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]
]

Note that you have "-anonymousAuthenticationFilter" , which removes this filter from your filter chain. By removing this part (-anonymousAuthenticationFilter) from your code, this filter will back to your filter chain, so you can use the @Secured("permitAll") or @Secured(['IS_AUTHENTICATED_ANONYMOUSLY']) again.

My final filter chain map was the following and worked like a charm.

grails.plugin.springsecurity.filterChain.chainMap = [
    //Stateless chain
    [
        pattern: '/**',
        filters: 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]
]

Add this to you logback.groovy in the development environment when you need to see more details about the authentication process

logger("org.springframework.security", DEBUG, ['STDOUT'], false)
logger("grails.plugin.springsecurity", DEBUG, ['STDOUT'], false)
logger("org.pac4j", DEBUG, ['STDOUT'], false)

logger("StackTrace", ERROR, ['FULL_STACKTRACE'], false)
root(ERROR, ['STDOUT', 'FULL_STACKTRACE'])

The same idea applies if you do not use spring security rest. Same answer I gave in another post, didn't knew what to do.

Upvotes: 1

An Ish A
An Ish A

Reputation: 711

use static mapping..

    grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        '/':                              ['permitAll'],
        '/user/someaction1':             ['permitAll'],
        '/user/someaction1':                 ['permitAll'],
]

Upvotes: 0

Related Questions