Search code examples
grailsspring-securitybearer-tokengrails3

Grails 3: Spring Security Rest returns Login Page


I'm using one Grails 3.1.9 application and I can't access my secured method by passing the bearer token. Something's missing?

Problem:

Login Request (path: http://localhost:8080/api/login):

{
    "username": "adm",
    "password": "123"
}

Login Response:

{
    "username": "adm",
    "roles": [
        "ROLE_ADM"
    ],
    "token_type": "Bearer",
    "access_token": "enjUSkoPnOhTFg ...",
    "expires_in": 4600000,
    "refresh_token": "eyhaFthjvTgf ..." 
}

Then I send the access_token to path: http://localhost:8080/api/test:

{
    "Authorization": "Bearer enjUSkoPnOhTFg ..."
}

!!!!! But the server returns the login page html content. !!!!!

OBS: The Controller method have the anotation @Secured('ROLE_ADM') and it works when I use @Secured('permitAll')

Configuration:

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.test.domain.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.test.domain.UserRole'
grails.plugin.springsecurity.authority.className = 'com.test.domain.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                ['permitAll'],
    '/index':           ['permitAll'],
    '/index.gsp':       ['permitAll'],
    '/assets/**':       ['permitAll'],
    '/**/js/**':        ['permitAll'],
    '/**/css/**':       ['permitAll'],
    '/**/images/**':    ['permitAll'],
    '/**/favicon.ico':  ['permitAll']
]

grails.plugin.springsecurity.filterChain.chainMap = [
    '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter',
    '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
]

Solution

  • I found the problem. I had to remove the traditionals spring security filters from the '/auth/**' path.

    So this solve the problem:

    grails.plugin.springsecurity.filterChain.chainMap = [
        '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter',
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter',
        // add this line:            
        '/auth/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ]