2 Authentication Endpoint - Reference Documentation

Authors: Alvaro Sanchez-Mariscal

Version: 1.2.5

2 Authentication Endpoint

The authentication filter uses the default authenticationManager bean, which in turn uses all the registered authentication providers. See the Spring Security Core guide for more information about how to define your own providers. Note that you can easily plug any Spring Security sub-plugin (like the LDAP one) to use a different authentication strategy.

If the authentication is successful, a token generator is used to generate a token, and a token storage implementation is used to store the token.

Finally, the JSON response sent back to the client is rendered by a restAuthenticationTokenJsonRenderer bean. The plugin offers you a default implementation that renders a response like this:

{
    "username": "john.doe",
    "token": "1a2b3c4d",
    "roles": [
        "ADMIN",
        "USER"
    ]
}

If you want your own, simply create a class implementing RestAuthenticationTokenJsonRenderer and wire it up in resources.groovy with name restAuthenticationTokenJsonRenderer.

The principal object stored in the security context, and passed to the JSON renderer, is coming from the configured authentication providers. In most cases, this will be a UserDetails object retrieved using the userDetailsService bean. If you want to render additional information in your JSON response, you have to:

Configure an alternative userDetailsService bean that retrieves the additional information you want, and put it in a principal object.

Configure an alternative restAuthenticationTokenJsonRenderer that reads that information from the restAuthenticationToken.principal object.

The following are the Config.groovy properties available:

Config key	Default value
`grails.plugin.springsecurity.rest.login.endpointUrl`	`/login`
`grails.plugin.springsecurity.rest.login.failureStatusCode`	`403`

Extracting credentials from the request

The plugin supports 2 ways of extracting the username and password: using request parameters, and using a JSON payload. For backwards compatibility, request parameters is the default option.

From request parameters

Config key	Default value
`grails.plugin.springsecurity.rest.login.useRequestParamsCredentials`	`true`
`grails.plugin.springsecurity.rest.login.usernameParameter`	`username`
`grails.plugin.springsecurity.rest.login.passwordParameter`	`password`

From a JSON request

To enable it:

Config key	Default value
`grails.plugin.springsecurity.rest.login.useJsonCredentials`	`true`

The default implementation expects a request like this:

{
    "username": "john.doe",
    "password": "dontTellAnybody"
}

If your JSON request format is different, you can plug your own implementation by defining a class which extends AbstractJsonPayloadCredentialsExtractor. The default implementation looks like this:

@Log4j
class DefaultJsonPayloadCredentialsExtractor extends AbstractJsonPayloadCredentialsExtractor {    UsernamePasswordAuthenticationToken extractCredentials(HttpServletRequest httpServletRequest) {
        def jsonBody = getJsonBody(httpServletRequest)
        log.debug "Extracted credentials from request params. Username: ${jsonBody.username}, password: ${jsonBody.password?.size()?'[PROTECTED]':'[MISSING]'}"
        new UsernamePasswordAuthenticationToken(jsonBody.username, jsonBody.password)
    }
}

Once you are done, register it in resources.groovy with the name credentialsExtractor.

2.1 Logout Endpoint

The logout filter exposes an endpoint for deleting tokens. It will read the token from an HTTP header. If found, will delete it from the storage, sending a 200 response. Otherwise, it will send a 404 response.

You can configure it in Config.groovy using this properties:

Config key	Default value
`grails.plugin.springsecurity.rest.logout.endpointUrl`	`/logout`
`grails.plugin.springsecurity.rest.token.validation.headerName`	`X-Auth-Token`

<< 1Introduction to the Spring Security REST plugin