Search code examples
grailsspring-securitygrails-2.0grails-plugin

Grails spring security fails to present the login page due to a redirect loop

I have upgraded my current spring security plugins to

  • spring-security-core-2.0-RC2
  • spring-security-ui-1.0-RC1

PROBLEM

and I noticed that my login screen no longer shows up. In Chrome it says This page has a redirect loop

STEPS TO RECREATE THE PROBLEM

So I have tried to create a brand new application called Test to try to isolate the problem.

First, I installed the security and security-ui plugins by adding the following entries in the BuildConfig.groovy:

compile ":spring-security-core:2.0-RC2"    
compile ":spring-security-ui:1.0-RC1"

Second I ran the quick start command as follows:

grails s2-quickstart security Person Authority Requestmap

and it created 4 domain objects as follows under a package called security: Authority.groovy, Person.groovy, PersonAuthority.groovy and Requestmap.groovy

as well as added the following to my Config.groovy

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'security.Person'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'security.PersonAuthority'
grails.plugin.springsecurity.authority.className = 'security.Authority'
grails.plugin.springsecurity.requestMap.className = 'security.Requestmap'
grails.plugin.springsecurity.securityConfigType = 'Requestmap'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]

Finally, I have run the app by doing a grails run-app command where I would expect the login page (auth.gsp) that now is no longer part of your code but of the plugin (by design) to be returned

C\myPathToGrails\.grails\2.2.2\projects\Test\plugins\spring-security-core-2.0-RC2\grails-app\views\login\auth.gsp

but instead I get a blank page stating that this page has a redirect loop.

I have also added the following staticRules, cleaning the app, and re-running it again to see if it would fix the problem but the redirect message still ocurred.

'/login/**':                      ['permitAll'],
'/login/auth/**':                 ['permitAll'],
'/login.gsp':                     ['permitAll']

Anybody has any idea of how to get around this?

Thanks in advance.

Solution

  • You're using Requestmap as security config type, your controllerAnnotations.staticRules does not have any effect.

    You need configure rules in RequestMap table, and enable your login controller and public pages to anonymous can access without login like:

        new Requestmap(url: '/*', configAttribute: 'IS_AUTHENTICATED_ANONYMOUSLY').save();
    new Requestmap(url: '/logout/**', configAttribute: 'IS_AUTHENTICATED_REMEMBERED,IS_AUTHENTICATED_FULLY').save();
    new Requestmap(url: '/login/**', configAttribute: 'IS_AUTHENTICATED_ANONYMOUSLY').save()
    new Requestmap(url: '/index/**', configAttribute: 'IS_AUTHENTICATED_ANONYMOUSLY').save();