0

I'm using Grails v2.4.2 with spring-security-rest, spring-security-core, and spring-security-ui plugins.

I'm trying to disable the RestAuthenticationFilter that comes with spring-security-rest so that I can write a custom Authentication Filter that is not case sensitive.

In my config.groovy, I'm using the following filter chain map:

grails.plugin.springsecurity.filterChain.chainMap = [
'/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter,-restAuthenticationFilter'

]

I've added '-restAuthenticationFilter' to exclude RestAuthenticationFilter but it is still running.

How can I exclude RestAuthentication Filter or is there an easier way to add case insensitivity to the username when logging in through RestAuthenticationFilter?

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
Jeremy Wagner
  • 485
  • 4
  • 9
  • 19

2 Answers2

2

Seems like 2 different questions.

If you want exclude the REST auth filter, I think you need to remove restTokenValidationFilter and restExceptionTranslationFilter from the chain.

Try

grails.plugin.springsecurity.filterChain.chainMap = [
'/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter,-restTokenValidationFilter,-restExceptionTranslationFilter'
]

If you want to make your username case insensitive, just create a custom implementation of GrailsUserDetailsService. Implement loadUserByUsername to ignore case of the username.

See http://grails-plugins.github.io/grails-spring-security-core/guide/userDetailsService.html

jstell
  • 696
  • 7
  • 12
  • I know about the custom user details service, but can you implement that using the spring security rest plugin? I'm not seeing anywhere we use a UserDetailsService and all we are using Gorm for is token storage – Jeremy Wagner Apr 13 '15 at 17:28
  • Ah, so I see GormUserDetailsService is a class and part of grails-spring-security-core. I'll be writing a custom one of these instead. – Jeremy Wagner Apr 13 '15 at 17:35
1

The plugin doesn't perform any authentication itself, but rather delegates it to the Spring's AuthenticationManager, which in turn uses any authentication provider configured. In your case, the provider used is DaoAuthenticationProvider, and it delegates user retrieval to the userDetailsService configured bean.

As @jstell pointed out, the core plugin provides a GormUserDetailsService that you will have to subclass, override the method loadUserByUsername(String username, boolean loadRoles), and configure in resources.groovy as userDetailsService bean.

Álvaro Sánchez-Mariscal
  • 884
  • 7
  • 14