(Quick Reference)

1 Introduction to the Spring Security REST plugin - Reference Documentation

Authors: Alvaro Sanchez-Mariscal

Version: 1.5.0.RC3

1 Introduction to the Spring Security REST plugin

The Spring Security REST Grails plugin allows you to use Spring Security for a stateless, token-based, RESTful authentication.

This plugin depends on Spring Security Core 2.x. Make sure your application is compatible with that version first. There is a feature request, that may be addressed in the future if there is enough community interest / love :)

This plugin is only for Grails 2.x

The default behaviour of Spring Security is to store the authenticated principal in the HTTP session. However, in a RESTful scenario, we need to make sure our server is stateless.

The typical flow could be the following:

The client application requests and endpoint that requires authentication, so the server responds with a 401 response.
The client redirects the user to the login form.
The user enter credentials, and the client sends a request to the authentication endpoint. The server validates credentials, and if valid, generates, stores and sends back a token to the client.
The client then stores the token internally. It will be sent on every API method request.
The client sends again a request to the protected resource, passing the token as an HTTP header.
The server validates the token, and if valid, executes the actual operation requested.

As per the REST definition, the client is transferring its state on every request so the server is truly stateless.

This plugin helps you to wire your existing Spring Security authentication mechanism, provides you with ready-to-use token generation strategies and comes prepackaged with JWT, Memcached, GORM, Redis and Grails Cache support for token storage.