grailsspring-securityhttpsgrails-pluginredirect-loop

Grails channel security causing a redirect loop

I am new to Grails and I am working on an exisiting application. I am trying to force the anyone using our website to allways be on https. I added the Spring Security Core plugin

//BuildConfig.groovy
compile "org.grails.plugins:spring-security-core:2.0.0"

and I just added 

///Config.groovy
grails.plugin.springsecurity.secureChannel.definition = [
    '/**': 'REQUIRES_SECURE_CHANNEL'

When I try to go on localhost:8080/myapp, it redirects me to https://localhost:8443/myapp, but I get a "This webpage has a redirect loop ERR_TOO_MANY_REDIRECTS" message.

I added print statements in my SecurityFilters.groovy, and I can see the infinite loop going

baseFilter(controller: "*", action: "*") 
    {
        before = {  
            println "baseFilter"
            // If auth controller then ok to continue
            if (controllerName.equals("auth"))
            {
                return true;
            }

            // If no subject (user) and not auth controller then user must authenticate
            if (!session.subject && !(controllerName.equals("auth")))
            {
              params.targetUri = request.forwardURI - request.contextPath
              if (params.action=="profile") {
                params.targetUri=params.targetUri + "?page=" + params?.page
              }
              else if (params.action=="results") {
                params.targetUri="/home"
              }
              println "baseFilter: Redirecting: PARAMS = $params"
              redirect(controller:'auth', action:'login', params: params)
              return false;
            }
        }
    }

It's just:

baseFilter
baseFilter: Redirecting: PARAMS = [action:auth, format:null,  controller:login, targetUri:/login/auth]

Over and over.

I've tried many other things I found on Stackoverflow and other websites, but they either do not work, or are too complicated.

Thank you.

Solution

  • Ok, so this isn't the answer to the question, but I managed to achieve what I was trying to do, which was to force SLL, and redirect any attempts to use http. I did this by using the shiro plugin, which was already being used by my application. In the Buildconfig.groovy, just add compile ":shiro:1.2.1" to you plugins. In the config.groovy I added the following properties:

    security { 
    shiro { 
        filter { 
            loginUrl = "/login" 
            successUrl = "/" 
            unauthorizedUrl = "/unauthorized" 
            filterChainDefinitions = """
                                     /** = ssl[443]
                                     """ 
        } 
    } 
}

    You can modify your filterChainDefinitions to only force ssl on certain urls. I just used /** because I always want SSL.