How to configure grails/spring authentication scheme per url?

How can I configure a grails application using Spring security such that one set of url's will redirect unauthenticated users to a custom login form with a开发者_运维问答n http response code of 200, whereas another set of url's are implementing restful web services and must return a 401/not authorized response for unauthenticated clients so the client application can resend the request with a username and password in response to the 401.

My current configuration can handle the first case with the custom login form. However, I need to configure the other type of authentication for the restful interface url's while preserving the current behavior for the human interface.

Thanks!

If I understood right what you want to do, I got the same problem, before! but it is easy to solve it using Spring Security grails Plugin! So, first of all, you have to set your application to use basic authentication:

grails.plugins.springsecurity.useBasicAuth = true

So your restful services will try to login, and if it doesnt work it goes to 401! This is easy but you also need to use a custom form to login right?! So you can just config some URL to gets into your normal login strategy like this:

grails.plugins.springsecurity.filterChain.chainMap = [
    '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
 ]

So noticed, that above, everything that comes to the URL /api/ will use the Basic Auth, but anything that is not from /api/ uses the normal authentication login form!

EDIT

More information goes to http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/guide/16%20Filters.html

I had the same issue and did not found a good solution for this. I am really looking forward a clean solution (something in the context like multi-tenant).

I ended up manually verifying the status and login-part for the second system, which should not redirect to the login page (so I am not using the "Secured" annotation). I did this using springSecurityService.reauthenticate() (for manually logging in), springSecurityService.isLoggedIn() and manually in each controller for the second system. If he wasn't, I have been redirecting to the specific page.

I do not know, whether this work-around is affordable for your second system.

You should make stateless basic authentication. For that please make following changes in your code.
UrlMappings.groovy

"/api/restLogin"(controller: 'api', action: 'restLogin', parseRequest: true)

Config.groovy

grails.plugin.springsecurity.useBasicAuth = true
grails.plugin.springsecurity.basic.realmName = "Login to My Site"
    grails.plugin.springsecurity.filterChain.chainMap = [
                '*'         : 'statelessSecurityContextPersistenceFilter,logoutFilter,authenticationProcessingFilter,customBasicAuthenticationFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter,basicExceptionTranslationFilter,filterInvocationInterceptor',
                '/api/': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter'
        ]

resources.groovy

statelessSecurityContextRepository(NullSecurityContextRepository) {}

    statelessSecurityContextPersistenceFilter(SecurityContextPersistenceFilter, ref('statelessSecurityContextRepository')) {
    }
    customBasicAuthenticationEntryPoint(CustomBasicAuthenticationEntryPoint) {
        realmName = SpringSecurityUtils.securityConfig.basic.realmName 
    }

    customBasicAuthenticationFilter(BasicAuthenticationFilter, ref('authenticationManager'), ref('customBasicAuthenticationEntryPoint')) {
        authenticationDetailsSource = ref('authenticationDetailsSource')
        rememberMeServices = ref('rememberMeServices')
        credentialsCharset = SpringSecurityUtils.securityConfig.basic.credentialsCharset // 'UTF-8'
    }

    basicAccessDeniedHandler(AccessDeniedHandlerImpl)

    basicRequestCache(NullRequestCache)

    basicExceptionTranslationFilter(ExceptionTranslationFilter, ref('customBasicAuthenticationEntryPoint'), ref('basicRequestCache')) {
        accessDeniedHandler = ref('basicAccessDeniedHandler')
        authenticationTrustResolver = ref('authenticationTrustResolver')
        throwableAnalyzer = ref('throwableAnalyzer')
    }

CustomBasicAuthenticationEntryPoint.groovy

public class CustomBasicAuthenticationEntryPoint extends
        BasicAuthenticationEntryPoint {   

    @Override
    public void commence(HttpServletRequest request,
                         HttpServletResponse response, AuthenticationException authException)
            throws IOException, ServletException {            
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }

}

ApiController

@Secured('permitAll')
class ApiController {
def springSecurityService
@Secured("ROLE_USER")
    def restLogin() {        
        User currentUser = springSecurityService.currentUser
        println(currentUser.username)
     }
}