on a grails 2.4.3 project I'm using Spring Security Core plugin (2.0RC4) and another plugin call Feature Flipping.
All my controller are correctly secured and authentication is working without any problems.
The "Feature flipping" plugin expose a /admin/feature URI which allows user to switch through web.
I tried to configure static rules to permit only ROLE_ADMIN users to access this resource, but I'm still getting "Access denied" errors.
Any ideas ?
My staticRules:
'/admin/**': ['ROLE_ADMIN']
SpringSecurity debug log:
2014-10-28 17:15:47,805 [http-bio-8080-exec-4] DEBUG matcher.AntPathRequestMatcher - Request '/admin/features' matched by universal pattern '/**'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@2116e65: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2116e65: Principal: [REDACTED].security.UserDetails@f9520f8b: Username: pygillier; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 7FF242941B7F95FD17E97D8611B3A5CF; Granted Authorities: ROLE_ADMIN, ROLE_USER'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 5 of 8 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 6 of 8 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-10-28 17:15:47,806 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /admin/features at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-10-28 17:15:47,807 [http-bio-8080-exec-4] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/features; Attributes: [_DENY_]
OK got it,
I got confused as plugin's controller name & URL are different.
Plugin's controller name is FeatureSwitchAdmin and is mapped as /admin/features, in my staticRules I need to set
'/featureswitchadmin/**': ['ROLE_ADMIN']
to get a valid credential.
(found solution with @rmlan clues and official doc)