Grails: disable Spring Security Core on certain paths

Question

How do I set up Spring Security Core in a way that calls to a certain pattern (such as /api/**) are not filtered?

grails.plugins.springsecurity.filterChain.chain         


        

Answer 1

You need to add the anonymous filter to your filter chain. If you followed the grails spring security rest configuration tutorial you probably got the following code:

grails.plugin.springsecurity.filterChain.chainMap = [
    //Stateless chain
    [
        pattern: '/**',
        filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]
]

Note that you have "-anonymousAuthenticationFilter" , which removes this filter from your filter chain. By removing this part (-anonymousAuthenticationFilter) from your code, this filter will back to your filter chain, so you can use the @Secured("permitAll") or @Secured(['IS_AUTHENTICATED_ANONYMOUSLY']) again.

My final filter chain map was the following and worked like a charm.

grails.plugin.springsecurity.filterChain.chainMap = [
    //Stateless chain
    [
        pattern: '/**',
        filters: 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]
]

Add this to you logback.groovy in the development environment when you need to see more details about the authentication process

logger("org.springframework.security", DEBUG, ['STDOUT'], false)
logger("grails.plugin.springsecurity", DEBUG, ['STDOUT'], false)
logger("org.pac4j", DEBUG, ['STDOUT'], false)

logger("StackTrace", ERROR, ['FULL_STACKTRACE'], false)
root(ERROR, ['STDOUT', 'FULL_STACKTRACE'])

The same idea applies if you do not use spring security rest.