I have split my Grails app into two apps - a customer facing web app and a separate app that hosts a REST api. I am doing this because I'm building an iOS app to go with my web app. My app uses Spring Security and I want to secure the REST api. I've surprisingly found very little information on the proper way to do this. Should I implement oauth with Spring Security, thus making my API app an oauth provider?
Any suggestions would be great.
Yes, I just did this for another application. You have to tell spring security to behave differently when the REST URLS are accessed.
Add this to your config.groovy
Now you will have two parts of your application that are authenticated in the following manner
a) Anything with /api ( assuming thats how you have your REST set up) in the URL, gets the basic authentication
b) Everything else , goes through the login page.
// making the application more secured by intercepting all URLs
grails.plugins.springsecurity.useBasicAuth = true
grails.plugins.springsecurity.basic.realmName = " REST API realm"
grails.plugins.springsecurity.securityConfigType = SecurityConfigType.InterceptUrlMap
//Exclude normal controllers from basic auth filter. Just the JSON API is included
grails.plugins.springsecurity.filterChain.chainMap = [
'/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter',
'/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
]
I've been working during the last weeks on a plugin that covers exactly what you want to do:
http://grails.org/plugin/spring-security-rest
Have a look at it and let me know if you have any problem.
