Grails Spring Security Static Rules

Question

I want all users to be authenticated before accessing my application. Following is the setting in Config.groovy:

grails.plugin.springsecurity.controllerAnnotations.staticRules=[
    "/**": ["ROLE_ADMIN"],
    "/login/auth": ["permitAll"]
]

The reason I put "/login/auth": ["permitAll"] is that any user can have a chance to log in and be authenticated. However, when I access http://localhost:8080/myapp/, it redirects to http://localhost:8080/myapp/login/auth and throws the error: The page isn't redirecting properly. Can you please advise what mistake I have committed here?

Answer 1

For first you must say to spring security what type of mapping you will be use.

grails.plugins.springsecurity.securityConfigType = 'InterceptUrlMap'

For second 'permitAll' changed to 'IS_AUTHENTICATED_ANONYMOUSLY' And for third, if spring security find /** he didn't see another under this line. So your code must be like this:

grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
grails.plugins.springsecurity.interceptUrlMap = [
"/login/auth": ["permitAll"],
 "/**": ["ROLE_ADMIN"]
]

Answer 2

TrongBang and Koloritnij are on the right track. But they're not completely correct in the context of your question. They're suggesting that you switch to a different authentication setup. (Which that will work but it doesn't solve the problem in the context of your setup.)

If you wish to keep the annotations, you're going to have to call out the controller that OAuth uses.

‘/springSecurityOAuth/**’: [‘permitAll’]

The plugin maps that controller path, but the static rules still interprets the controller and methods from that. This took some digging for me to find this out. I had your same issue, and I blogged about this (and it includes some of the details about how the Spring Security Oauth plugin works.

http://theexceptioncatcher.com/blog/2015/04/spring-security-oauth-the-missing-instructions/