<< 6Token Storage
(Quick Reference)
8Token Validation Filter >>

7 Token Rendering - Reference Documentation

Authors: Alvaro Sanchez-Mariscal

Version: 1.4.0

7 Token Rendering

By default, this plugin renders the token in RFC 6750 Bearer Token format:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
    "access_token":"3bicek1gc63oai6tfjkhog4kqn8ojd6a",
    "token_type":"Bearer",
    "username": "john.doe",
    "roles": [
        "ROLE_ADMIN",
        "ROLE_USER"
    ]
}

As per the RFC, access_token and token_type property names cannot be customised.

The JSON structure can be customised with the following configuration keys:

Config keyDefault value
grails.plugin.springsecurity.rest.token.rendering.usernamePropertyNameusername
grails.plugin.springsecurity.rest.token.rendering.authoritiesPropertyNameroles

Eg, with the following configuration:

grails.plugin.springsecurity.rest.token.rendering.usernamePropertyName = 'login'
grails.plugin.springsecurity.rest.token.rendering.authoritiesPropertyName = 'permissions'

The output will look like:

{
    "access_token":"3bicek1gc63oai6tfjkhog4kqn8ojd6a",
    "token_type":"Bearer",
    "login": "john.doe",
    "permissions": [
        "ROLE_ADMIN",
        "ROLE_USER"
    ]
}

Disabling bearer tokens support for full response customisation

In order to fully customise the response, you need first to disable bearer tokens support by setting grails.plugin.springsecurity.rest.token.validation.useBearerToken = false. That will enable you to use this additional property:

Config keyDefault value
grails.plugin.springsecurity.rest.token.rendering.tokenPropertyNameaccess_token

Disabling bearer token support impacts the way tokens are extracted from the HTTP request. Please, read carefully the chapter about token validation first.

If you want your own implementation, simply create a class implementing RestAuthenticationTokenJsonRenderer and wire it up in resources.groovy with name restAuthenticationTokenJsonRenderer.

The principal object stored in the security context, and passed to the JSON renderer, is coming from the configured authentication providers. In most cases, this will be a UserDetails object retrieved using the userDetailsService bean. If you want to render additional information in your JSON response, you have to:
  1. Configure an alternative userDetailsService bean that retrieves the additional information you want, and put it in a principal object.
  2. Configure an alternative restAuthenticationTokenJsonRenderer that reads that information from the restAuthenticationToken.principal object.

<< 6Token Storage
8Token Validation Filter >>
Quick Reference (hide)