How do I set up Spring Security Core in a way that calls to a certain pattern (such as /api/**) are not filtered?
grails.plugins.springsecurity.filterChain.chainMap = [
'/api/**': '',
'/**': 'JOINED_FILTERS',
]
doesn't work, since it will try to resolve the bean ''.
Is there anything other than the nasty workaround with 'JOINED_FILTERS,-filter1,-filter2,...'
How are static resources being excluded from Spring Security?
You need to add the anonymous filter to your filter chain. If you followed the grails spring security rest configuration tutorial you probably got the following code:
grails.plugin.springsecurity.filterChain.chainMap = [
//Stateless chain
[
pattern: '/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
]
]
Note that you have "-anonymousAuthenticationFilter" , which removes this filter from your filter chain. By removing this part (-anonymousAuthenticationFilter) from your code, this filter will back to your filter chain, so you can use the @Secured("permitAll") or @Secured(['IS_AUTHENTICATED_ANONYMOUSLY']) again.
My final filter chain map was the following and worked like a charm.
grails.plugin.springsecurity.filterChain.chainMap = [
//Stateless chain
[
pattern: '/**',
filters: 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
]
]
Add this to you logback.groovy in the development environment when you need to see more details about the authentication process
logger("org.springframework.security", DEBUG, ['STDOUT'], false)
logger("grails.plugin.springsecurity", DEBUG, ['STDOUT'], false)
logger("org.pac4j", DEBUG, ['STDOUT'], false)
logger("StackTrace", ERROR, ['FULL_STACKTRACE'], false)
root(ERROR, ['STDOUT', 'FULL_STACKTRACE'])
The same idea applies if you do not use spring security rest.