(Quick Reference)

5 Token Validation Filter

The token validation filter looks for the token in a HTTP header and then tries to validate the token using the configured token storage implementation.

If the validation is successful, the principal object is stored in the security context. This allows you to use in your application @Secured, springSecurityService.principal and so on.

springSecurityService.currentUser expects a grails.plugin.springsecurity.userdetails.GrailsUser to perform a DB query. However, this plugins stores in the security context just a principal Object, because it does not assume you are using domain classes to store the users. Use springSecurityService.principal instead.

Validation Endpoint

There is also an endpoint available that you can call in case you want to know if a given token is valid. It looks for the token in a HTTP header as well, and if the token is still valid, it renders its JSON representation. If the token does not exist, it will render a grails.plugin.springsecurity.rest.login.failureStatusCode response (403 by default).

The relevant configuration properties are:

Config key	Default value
grails.plugin.springsecurity.rest.token.validation.headerName	X-Auth-Token
grails.plugin.springsecurity.rest.token.validation.endpointUrl	/validate