Grails: disable Spring Security Core on certain paths

Question

How do I set up Spring Security Core in a way that calls to a certain pattern (such as /api/**) are not filtered?

grails.plugins.springsecurity.filterChain.chainMap = [
'/api/**': '',
'/**': 'JOINED_FILTERS',
]

doesn't work, since it will try to resolve the bean ''.

Is there anything other than the nasty workaround with 'JOINED_FILTERS,-filter1,-filter2,...'

How are static resources being excluded from Spring Security?

Answer 1

You need to add the anonymous filter to your filter chain. If you followed the grails spring security rest configuration tutorial you probably got the following code:

grails.plugin.springsecurity.filterChain.chainMap = [
    //Stateless chain
    [
        pattern: '/**',
        filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]
]

Note that you have "-anonymousAuthenticationFilter" , which removes this filter from your filter chain. By removing this part (-anonymousAuthenticationFilter) from your code, this filter will back to your filter chain, so you can use the @Secured("permitAll") or @Secured(['IS_AUTHENTICATED_ANONYMOUSLY']) again.

My final filter chain map was the following and worked like a charm.

grails.plugin.springsecurity.filterChain.chainMap = [
    //Stateless chain
    [
        pattern: '/**',
        filters: 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]
]

Add this to you logback.groovy in the development environment when you need to see more details about the authentication process

logger("org.springframework.security", DEBUG, ['STDOUT'], false)
logger("grails.plugin.springsecurity", DEBUG, ['STDOUT'], false)
logger("org.pac4j", DEBUG, ['STDOUT'], false)

logger("StackTrace", ERROR, ['FULL_STACKTRACE'], false)
root(ERROR, ['STDOUT', 'FULL_STACKTRACE'])

The same idea applies if you do not use spring security rest.

Answer 2

You can implement a simple non-authentication filter::

class NonAuthenticationFilter  extends GenericFilterBean {

    void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

Define it in resources.groovy:

beans = {
    nonAuthFilter(NonAuthenticationFilter)
}

And configure your url pattern:

grails.plugins.springsecurity.filterChain.chainMap = [
    '/api/**': 'nonAuthFilter',
    '/**': 'JOINED_FILTERS',
]
grails.plugins.springsecurity.interceptUrlMap = [
    '/api/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]

Answer 3

grails.plugin.springsecurity.interceptUrlMap = [
    '/api/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]

this is not enough, it should be added with this line :

grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"

NOTE :

Previous versions:

   grails.plugins.springsecurity.*

New version :

  grails.plugin.springsecurity.*//plugin without s