I am using Grails 3 and the Spring Security Plugin for authentication.
When I hit the following url manually, in my browser:
http://localhost:8080/cool-0.1/
I get the login page, and I can authenticate successfully, inferring that I type my username / password combo correctly.
Problem:
If I navigate to my page by using the original link, without the forward slash (IE: http://localhost:8080/cool-0.1 and not http://localhost:8080/cool-0.1/ ) I completely bypass the security, and am able to see the home page without authenticating. (Yes, I clear my cache, close all windows, etc)
My url mappings contain the following code:
"/"(controller: "home", action: "index")
My spring security groovy file contains the following code:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/login/**', access: ['permitAll']],
[pattern: '/error', access: ['permitAll']],
[pattern: '/**', access: 'isAuthenticated()']
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[pattern: '/**', filters: 'JOINED_FILTERS']
]
I do not see what I am missing here. Why do the two scenarios cause issues? The documentation for Spring Security Grails 3 mentions nothing useful to solve this.
The solution was to use the ** pattern:
[pattern: '**', access: 'isAuthenticated()'],
The documentation provided said that the use of /** and ** is identical, however, by doing the experiment using both, it clearly is not.