CODEWITHSUNDEEP
springgrailsspring-securityspring-security-rest
user817851
user817851

Reputation: 229

insufficient_scope error using Grails spring security rest plugin

I have a standard grails web app using spring security and I want to expose a small portion of it as a REST API using the spring-security-rest plugin (version 1.5.1). Everything seems to be set up correctly, but any request I make comes back with a 403 error saying "insufficient_scope." There is nothing about this in any of the docs, so I'm hoping someone can help. Here's my setup using Grails 2.4.4:

config.groovy:

grails.plugin.springsecurity.filterChain.chainMap = [
        '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',  // Stateless chain
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                                                          // Traditional chain
]
grails.plugin.springsecurity.ui.register.defaultRoleNames = ['ROLE_USER']
grails.plugin.springsecurity.logout.postOnly = false

grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.luncho.UserLuncho'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.luncho.UserLunchoRole'
grails.plugin.springsecurity.authority.className = 'com.luncho.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
        '/':                ['ROLE_USER'],
        '/user/create':           ['ROLE_ADMIN'],
        '/register/*':           ['permitAll'],
        '/login/*':       ['permitAll'],
        '/logout/*':       ['permitAll'],
        '/index.gsp':       ['permitAll'],
        '/plugins/**':       ['permitAll'],
        '/assets/**':       ['permitAll'],
        '/**/js/**':        ['permitAll'],
        '/**/css/**':       ['permitAll'],
        '/**/images/**':    ['permitAll'],
        '/**/favicon.ico':  ['permitAll'],
        '/restaurant/**':           ['ROLE_USER']
]

I can authenticate just fine and I do get back a bearer token. However, the following curl command (with the real token in place of "my_token") always sends back an insufficient_scope error:

curl -i http://localhost:8080/lunchoweb/api/restaurant -H "Authorization: Bearer my_token"

It's also worth noting that the controller methods are contained in a sperate controller called RestaurantAPIController. Right now it's very simple:

class RestaurantAPIController {
    def getAllRestaurants() {
        render Restaurant.findAll() as JSON
    }
}

with the URL mapping:

// REST end points
"/api/restaurant" {
    controller="restaurantAPI"
    action = "getAllRestaurants"
}

What gives?

Upvotes: 2

Views: 375

Answers (1)

Raz Abramov
Raz Abramov

Reputation: 191

You don't have a reference to the '/api/**' scope here.

'/restaurant/**':           ['ROLE_USER']

should be 

'/api/restaurant/**':           ['ROLE_USER']

Upvotes: 3

Related Questions