4 Authentication Endpoint

If the authentication is successful, a token generator is used to generate a token, and a token storage implementation is used to store the token. Finally, the JSON response sent back to the client is rendered by a restAuthenticationTokenJsonRenderer bean. See the token rendering documentation for more details.

This authentication filter will only be applied to the above configured URL and can also be disabled, in case a different approach for token creation is followed. In the rest of the cases, the request will continue through the filter chain, reaching Spring Security Core filters. Bear in mind that, by default, Spring Security Core 2.x locks down all URL's unless a explicit securiy rule has been specified for each of them.

See Spring Security Core documentation for more information.

The following are the Config.groovy properties available:

Extracting credentials from the request

The plugin supports 2 ways of extracting the username and password: using request parameters, and using a JSON payload. To align with the RESTful principles, JSON payload is the default behaviour.

From a JSON request

The default implementation expects a request like this:

{
    "username": "john.doe",
    "password": "dontTellAnybody"
}

If you use usernamePropertyName and passwordPropertyName properties mentioned above, your JSON request can look like:

{
    "login": "john.doe",
    "pwd": "dontTellAnybody"
}

With the following config:

grails.plugin.springsecurity.rest.login.usernamePropertyName = 'login'
grails.plugin.springsecurity.rest.login.passwordPropertyName = 'pwd'

If your JSON request format is different, you can plug your own implementation by defining a class which extends AbstractJsonPayloadCredentialsExtractor. The default implementation looks like this:

@Slf4j
class DefaultJsonPayloadCredentialsExtractor extends AbstractJsonPayloadCredentialsExtractor {
    String usernamePropertyName
    String passwordPropertyName
    UsernamePasswordAuthenticationToken extractCredentials(HttpServletRequest httpServletRequest) {
        def jsonBody = getJsonBody(httpServletRequest)
        String username = jsonBody."${usernamePropertyName}"
        String password = jsonBody."${passwordPropertyName}"
        log.debug "Extracted credentials from JSON payload. Username: ${username}, password: ${password?.size()?'[PROTECTED]':'[MISSING]'}"
        new UsernamePasswordAuthenticationToken(username, password)
    }
}

Once you are done, register it in resources.groovy with the name credentialsExtractor.

From request parameters

Note that the name of the parameters can also be customised:

4.1 Logout Endpoint

You can configure it in Config.groovy using this properties: