Step by step tutorial on configuring grails 3 , spring security rest with mongodb.

You can follow my old post on configuring spring security core with grails 3 and mongodb

Grails 3 with MongoDB and Spring Security Core Step By Step

There is a minimal configuration required for Spring Security Rest once you are done with the post listed above, so lets start.

Step 1: Install the grails spring security rest plugin by editing the build.gradle file and paste the code given below inside the dependencies block:

compile "org.grails.plugins:spring-security-rest-gorm:2.0.0.M2"

The obove will download the spring security rest dependencies.

Step 2: Now create a domain class using the command given below:

grails create-domain-class com.example.AuthenticationToken

Run the above command from the project root directory, this will create a domain class name ‘AuthenticationToken’ under the package com.example. Edit the class as mentioned below:

static mapWith = "mongo"
  String secretToken // field to store the token used for accessing api end point
  String loginName // login name of the user

 static mapping = {
    version false
 }

Step 3: Next edit the application.groovy file and paste the below code:

grails.plugin.springsecurity.filterChain.chainMap = [
		//Stateless chain
		[
				pattern: '/api/**',
				filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
		],

		//Traditional chain
		[
				pattern: '/**',
				filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
		]
]

 The above configuration is the make sure that the rest and core spring security filters do not collide with each other.

//rest configuration
grails.plugin.springsecurity.rest.token.storage.useGorm = true // since using gorm for token storage
grails.plugin.springsecurity.rest.token.generation.useSecureRandom = true
grails.plugin.springsecurity.rest.login.active =true
grails.plugin.springsecurity.rest.login.useJsonCredentials = true // can use json a request parameter
grails.plugin.springsecurity.rest.login.usernamePropertyName = 'username' // field of username parameter
grails.plugin.springsecurity.rest.login.passwordPropertyName = 'password' // field of pasword parameter
grails.plugin.springsecurity.rest.login.useRequestParamsCredential = true

grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName ='com.example.AuthenticationToken' // token class name with package 
grails.plugin.springsecurity.rest.token.storage.gorm.tokenValuePropertyName = 'secretToken' // field name for token storage
grails.plugin.springsecurity.rest.token.storage.gorm.usernamePropertyName = 'loginName'

grails.plugin.springsecurity.rest.logout.endpointUrl = '/api/logout'
grails.plugin.springsecurity.rest.login.endpointUrl = '/api/login'
grails.plugin.springsecurity.rest.login.failureStatusCode = 401
//token validate
grails.plugin.springsecurity.rest.token.validation.useBearerToken = true
grails.plugin.springsecurity.rest.token.validation.active=true
grails.plugin.springsecurity.rest.token.validation.endpointUrl='/api/validate'
//end of rest configuration

The above configuration is for spring security rest for details can follow the documentation on spring security rest.

grails.plugin.springsecurity.interceptUrlMap = [
		[pattern: '/',               access: ['permitAll']],
		[pattern: '/api/home/**',    access: ['ROLE_USER']],
		[pattern: '/error',          access: ['permitAll']],
		[pattern: '/index',          access: ['permitAll']],
		[pattern: '/index.gsp',      access: ['permitAll']],
		[pattern: '/shutdown',       access: ['permitAll']],
		[pattern: '/assets/**',      access: ['permitAll']],
		[pattern: '/**/js/**',       access: ['permitAll']],
		[pattern: '/**/css/**',      access: ['permitAll']],
		[pattern: '/**/images/**',   access: ['permitAll']],
		[pattern: '/**/favicon.ico', access: ['permitAll']],
		[pattern:  '/login/**',      access:['IS_AUTHENTICATED_ANONYMOUSLY']],
		[pattern: '/**',             access: ['IS_AUTHENTICATED_FULLY']],
		[pattern: '/api/**',         access: ['IS_AUTHENTICATED_FULLY']]
]

The above configuration is for restricting the access to the end points.

Step 4: Next is to access the end point by using a tool named postman which is an extension to Chrome browser.

Make sure you download it and follow the below guide.

From the above picture notice that it’s a post request to ‘api/login’ end point with valid credential in a json format. Once request is made properly you will receive response as shown below:

Note the response which return a token type and access_token along with other details. Now for accessing any end point make request using the acces token as a part of request header as shown below.

Note it’s a get request over the end point ‘/api/home’ , passing the token prepending with the Bearer String followed by a space.