I have a Grails 3.2.4 app that uses the Spring Security Core & REST plugins. My goal is to make certain Grails controller actions available to the public and not locked. By default, the plugin locks down everything ("pessimist lockdown").
If I annotate one of my Grails controller actions using @Secured("IS_AUTHENTICATED_ANONYMOUSLY"), then I have no issues when using the stateful authentication using session (provided by Core plugin).
However, that does not seem to work if the controller action is under the REST plugin.
What should I do to make a Grails controller action public and not locked if I am using the stateless REST plugin? (Authorization header provides the Bearer token).
I found that IS_AUTHENTICATED_ANONYMOUSLY was not working because the anonymousAuthenticationFilter was removed using a minus sign in my filterChain.chainMap definitions. So I just removed that "-anonymousAuthenticationFilter" and it works now.