Grails - Spring Security REST - 302 Response net::ERR_TOO_MANY_REDIRECTS

Question

I am using the grails-spring-security-rest plugin to secure my rest api.

I am unable to call the rest api successfully via AJAX using the plugin. I am receiving a 302 response which is causing a redirect loop.

$.ajax({
        url: "http://localhost:8084/app/api/controller",
        type: "GET",
        beforeSend: function(xhr){xhr.setRequestHeader('Authorization', 'Bearer <TOKEN>');},
});

I have tested non-authenticated, with the plugin removed and everything is working fine.

I am able to successfully call the rest api with curl:

curl -i -H "Accept: application/json" -H "Authorization:Bearer <TOKEN>" http://localhost:8084/app/api/controller

I have a the following configuration in place:

BuildConfig.groovy

compile ':spring-security-core:2.0-RC3'
compile ":spring-security-rest:1.4.0.RC5", {
    excludes: 'spring-security-core'
}

Config.groovy

grails.plugin.springsecurity.rest.login.useJsonCredentials = true
grails.plugin.springsecurity.rest.token.storage.useGorm = true
grails.plugin.springsecurity.rest.token.storage.gorm.tokenDomainClassName = 'com.app.security.AuthenticationToken'
grails.plugin.springsecurity.filterChain.chainMap = [
    '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter',  // Stateless chain
    '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                          // Traditional chain
]

I have ensured that the proper authentication token is being sent in the headers, here is a snippet from the request:

Request URL:http://localhost:8084/app/api/controller/
Accept:application/json, text/plain, */*
Authorization:Bearer <TOKEN>

Looking for whether I am doing something wrong in my submission, or if possibly this is a bug in the plugin?

Thank you.

Answer 1

You have to remove the remember me filter.

Use like this: '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'

This.. 'bug' will only happen if you've used the app with regular spring security before, because then you'll have a cookie that will hijack the whole filter process and try to log you in (and redirect you), making a redirection war between the custom rest plugin filter and the original spring security.