Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
Álvaro Sánchez-Mariscal
@hussainanjar there are no plans to support Grails. My latest statement regarding that can be seen in slide 84 @ http://www.slideshare.net/alvarosanchezmariscal/stateless-authentication-for-microservices-gr8conf-2015
Lawrence Lee
@alvarosanchez yeah, a business case for our software is letting admins log in as users when users report issues via the error reporting capabilities of the application. So we need to generate a valid token for that user so that the admin can log into their account and see what if is going on is actually a bug before filing a bug report
Álvaro Sánchez-Mariscal
you can use TokenGenerator's AccessToken generateAccessToken(UserDetails principal) method
to get the user details of another user, you can use UserDetailsService's UserDetails loadUserByUsername(String username)
the bean name of the former is tokenGenerator, and the latter is userDetailsService
Inject them in your controller/service and use them
Lawrence Lee
Thanks, I'll try that
Lawrence Lee
Awesome, that works. One last question on the issue: how is the JSON rendered in the plugin for the login endpoint?
Lawrence Lee
nm, sily question. Found it in the controller :+1:
James Kleeh
@alvarosanchez Docs added for the events
Luis Muniz

Hi just in case someone else hits this roadblock. I was getting this error when starting up the application (grails-2.5.1) hosting spring-security-rest (1.4.0):

| Error 2014-07-22 17:47:55,824 [localhost-startStop-1] ERROR plugins.DefaultGrailsPluginManager  - Error configuring dynamic methods for plugin [springSecurityCore:2.0-RC4]: null
Message: null
    Line | Method
->>  327 | compileStaticRules        in grails.plugin.springsecurity.web.access.intercept.AnnotationFilterInvocationDefinition

When I switch to using spring-security-core-2.0-RC3 (instead of 2.0-RC4), the error does not occur. And when I switched back to RC4, the error disappeared. Some kind of caching issue, but i ran clean-all about a googol times with no results

Fairuz Wan Ismail
I'm planning to have a separate rest client (pure frontend running Angularjs app) and a restful API (using spring cloud, spring security and the gang). I have doubt right now on what grant type should I use.
I want to use password grant type since both apps are mine but someone said we shouldn't use it in the browser. Does someone know why?
Álvaro Sánchez-Mariscal
You can use the password grant if you want to. Another option would be the implicit grant
Thought Object
Does this plugin work with Grails 3?
Ejaz Ahmed
No. This plugin does not work with grails3 right now
how Check CSRf headers is available
default spring security relies on spring tag for csrf token that can be generated in jsp only. But we have one page html.
so neither spring tags nor meta tag works
so went with CSRF custom headers that im adding in my custom filters
how and where to add that filter and how to verify it as no csrf attack
Burp report sends jusername and jpassword and gets 302 response
cant rely on cookie
as burp changes the cookie too
Fairuz Wan Ismail
@alvarosanchez Thanks! I end up using just password grant
Adetunji Adegbite
hi all, I am testing the login spring security rest api for my app using post man and curl but getting a 401 response with the following details. Any clue on what could be causing this.
access-control-allow-credentials →true access-control-allow-origin →chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop content-length →0 date →Wed, 18 Apr 2018 20:38:43 GMT vary →Origin
with error 401 status
i am testing via postman.
here is my application.groovy

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.teejay.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.teejay.UserAuthority'
grails.plugin.springsecurity.authority.className = 'com.teejay.Authority'
grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugin.springsecurity.interceptUrlMap = [
    [pattern: '/',               access: ['permitAll']],
    [pattern: '/error',          access: ['permitAll']],
    [pattern: '/index',          access: ['permitAll']],
    [pattern: '/index.gsp',      access: ['permitAll']],
    [pattern: '/shutdown',       access: ['permitAll']],
    [pattern: '/assets/**',      access: ['permitAll']],
    [pattern: '/**/js/**',       access: ['permitAll']],
    [pattern: '/**/css/**',      access: ['permitAll']],
    [pattern: '/**/images/**',   access: ['permitAll']],
    [pattern: '/**/favicon.ico', access: ['permitAll']],
    [pattern: '/dbconsole/**', access: ['permitAll']],
    [pattern: '/api/login',          access: ['permitAll']],
    [pattern: '/mtoken',          access: ['ROLE_USER']],
    [pattern: '/api/logout',        access: ['isFullyAuthenticated()']],
    [pattern: '/api/jtoken',    access: ['isFullyAuthenticated()']],
    [pattern: '/**',             access: ['isFullyAuthenticated()']]

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/api/**', filters:'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter'],
  [pattern: '/**', filters:'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter']


grails.plugin.springsecurity.rest.logout.endpointUrl = '/api/logout'
grails.plugin.springsecurity.rest.token.validation.useBearerToken = false
grails.plugin.springsecurity.rest.token.validation.headerName = 'X-Auth-Token'
grails.plugin.springsecurity.rest.token.storage.memcached.hosts = 'localhost:11211'
grails.plugin.springsecurity.rest.token.storage.memcached.username = ''
grails.plugin.springsecurity.rest.token.storage.memcached.password = ''
grails.plugin.springsecurity.rest.token.storage.memcached.expiration = 86400
grails.plugin.springsecurity.password.algorithm = 'SHA-256'
grails.plugin.springsecurity.password.hash.iterations = 1

//token rendering

grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
grails.plugin.springsecurity.rest.login.usernamePropertyName = 'username'
grails.plugin.springsecurity.rest.login.useRequestParamsCredentials = false
Adetunji Adegbite
Hi all, please I still need help using spring-security-rest with grails 3.3.0 anyone with a working example will be highly appreciated.
jmiguel rodriguez
Hi @twonjee2002 . You'd better ask in the slack grails channel: grails.slack.com
Sufyan Shoaib
HI All, I have question if anyone can help. Is it possible to define custom Authentication Controller that can login and logout a user and do some other stuff after login or logout?
Also, is it possible to define some error message when authentication failed? like username not found
Ejaz Ahmed
@sufyanshoaib use grails slack channel instead for such questions.
can i haveone sample please
i'm still new to this
Hi all, I am using security-rest-2.0.0.RC1
I am trying to intercept login action with grails interceptor
But I am unable to intercept /api/login call for some reason. Can anyone point me in the right direction?
public AuthenticationInterceptor() { match(uri: '/**') }
Sorry for the formatting. I'm new here. But this is what my interceptor looks like

I have a groovy project and wanted to run code analysis.

When i searched for it, most of the web-site suggested to go for sonnar qube plugin for analysis

The latest sonarqube version throws error.

I would like to know the compatible version of SonarQube, Plugin for IDE with links to download.

Please advise.

Hi all
I have a question regarding doFilter method in RestTokenValidationFilter why this method is gettting invoke twice on a single call
Adam Goldsmith
@alvarosanchez Hi, I am trying to do a token refresh, using a verified token, using postman (to test my back-end), and I am getting the thrown error that generates the 403 response, do you know a common mistake that I could have made? To use my app with PostGres, I have named my "User" domain as "Users", that domain also has no mention of "org.springframework.security.core.userdetails.User" (as mentioned in RestOauthController.groovy), could that be the cause?