Hi, I don't know whether this is spring security plugin related or rather vFabric tc Server related.
Using ggts (v3.2.0, grails: 2.2.1), I have the following effect:
I've built an application with the spring security plugin and strarted with s2-quickstart (2 classes: User/Role).
My problem is that under vFabric tc Server (2.6 as well as 2.8) spring security doesn't seem to work. It lets me log in, but then displays "access denied" on protected resources. Using any other stand alone tomcat installation or the grails built-in tomcat just works fine!
The relevant lines from BootStrap.groovy:
With that I've secured a controller using an annotation:
And of course the standard yadayada from the docs apply, e.g. Config.groovy:
I'm clueless. Any advice? TIA!
PS: adding debug output of the spring security plugin.
Using ggts (v3.2.0, grails: 2.2.1), I have the following effect:
I've built an application with the spring security plugin and strarted with s2-quickstart (2 classes: User/Role).
My problem is that under vFabric tc Server (2.6 as well as 2.8) spring security doesn't seem to work. It lets me log in, but then displays "access denied" on protected resources. Using any other stand alone tomcat installation or the grails built-in tomcat just works fine!
The relevant lines from BootStrap.groovy:
Code:
def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush:true)
def userRole = new Role(authority: 'ROLE_USER').save(flush: true)
def accounta = new User(username: 'a', enabled: true, password: 'a', accountExpired: false, accountLocked: false, passwordExpired: false, client: null).save(flush:true)
def accountb = new User(username: 'b', enabled: true, password: 'b', accountExpired: false, accountLocked: false, passwordExpired: false, client: null).save(flush:true)
def accountc = new User(username: 'c', enabled: true, password: 'c', accountExpired: false, accountLocked: false, passwordExpired: false, client: null).save(flush:true)
UserRole.create accounta, userRole, true
UserRole.create accountb, userRole, true
UserRole.create accountc, userRole, trueCode:
@Secured(['ROLE_USER'])
class ClientController {...Code:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'sample.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'sample.UserRole'
grails.plugins.springsecurity.authority.className = 'sample.Role'PS: adding debug output of the spring security plugin.
Code:
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/client/index'; to: '/client/index'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - Candidate is: '/client/index'; pattern is /**; matched=true
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@88b3338c: Authentication: or
g.springframework.security.authentication.UsernamePasswordAuthenticationToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credential
sNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; Sessi
onId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO_ROLES'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG rememberme.RememberMeAuthenticationFilter - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticat
ionToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_
NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO_
ROLES'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthentica
tionToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.springsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE
_NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO
_ROLES'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG web.FilterChainProxy - /client/index at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /client/index; Attributes: [ROLE_USER]
2013-03-29 16:16:40,908 [tomcat-http--39] DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@88b3338c: Principal: org.codehaus.groovy.grails.plugins.s
pringsecurity.GrailsUser@61: Username: a; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_NO_ROLES; Credentials: [PROTECTED]; Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: BBB82C017155A13F2E1F2830FF74E8CF; Granted Authorities: ROLE_NO_ROLES
2013-03-29 16:16:40,924 [tomcat-http--39] DEBUG hierarchicalroles.RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [ROLE_NO_ROLES] one can reach [ROLE_NO_ROLES] in zero or more steps.
2013-03-29 16:16:40,956 [tomcat-http--39] DEBUG access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)