Grails 3 Spring Security application.yml

Question

For some reason my staticRules are not applied.

Adding the "org.grails.plugins:spring-security-core:3.0.0.M1" plugin and executing

grails s2-quickstart com.testapp User Role

successfully created the Role User and UserRole Domains. Also an application.groovy file with some settings was created.

But I am using an application.yml file to configure my app. So I moved the properties to my application.yml and deleted the .groovy file.

For some reason the staticRules are not applied. Maybe there is a syntax error.

---
grails:
    plugin:
        springsecurity:
            userLookup:
                userDomainClassName: 'User'
                authorityJoinClassName: 'UserRole'
            authority:
                className: 'Role'
            apf:
                postOnly: false
            password:
                algorithm: 'bcrypt'
            controllerAnnotations:
                staticRules:
                    /: permitAll
                    /error: permitAll
                    /index: permitAll
                    /index.gsp: permitAll
                    /shutdown: permitAll
                    /assets/**: permitAll
                    /**/js/**: permitAll
                    /**/css/**: permitAll
                    /**/images/**: permitAll
                    /**/favicon.ico: permitAll
    mime:
        disable:
            accept:
                header:
                    userAgents:
    ...

I have tried multiple variants like

'/': 'permitAll'
/: 'permitAll'

But everytime I open localhost:8080/ i am prompted to login!

Answer 1

The new Spring security configuration in YML looks like this:

---
grails:
  plugin:
    springsecurity:
      userLookup.userDomainClassName: 'org...User'
      userLookup.authorityJoinClassName: 'org...UserRole'
      authority.className: 'org...Role'
      controllerAnnotations.staticRules:
        - pattern: '/'
          access: ['permitAll']
        - pattern: '/index'
          access: ['permitAll']
        - pattern: '/index.gsp'
          access: ['permitAll']
        - pattern: '/error'
          access: ['permitAll']
        - pattern: '/user/denied'
          access: ['permitAll']
        - pattern: '/assets/**'
          access: ['permitAll']
        - pattern: '/**/js/**'
          access: ['permitAll']
        - pattern: '/**/css/**'
          access: ['permitAll']
        - pattern: '/**/images/**'
          access: ['permitAll']
        - pattern: '/**/favicon.ico'
          access: ['permitAll']

For testing purposes (to ensure that this configuration works) permit all on top of all static rules, but be sure to remove it later:

- pattern: '/**'
      access: ['permitAll']