Grails 3.0: When app has context path, url mappings only working for '/context/' with trailing slash when spring security implemented.

[kschmit90]

Simply, I have a standard Spring Security authentication configuration, which works fine when I am not using a context path for the server.

environments:
    development:
        server: 
            contextPath: '/context'

When I add a context path, my assumption is that a URL like 'localhost:8080/context' should map to whatever is mapped to "/" in UrlMappings. In this instance it is the index action of a controller.

class UrlMappings {

  static mappings = {
    "/$controller/$action?/$id?(.$format)?"{
      constraints {
        // apply constraints here
      }
    }

    "/"(controller:'myController', action:'index')
    "500"(view:'/error')
    "404"(view:'/notFound')
  }
}

This is true when not using Spring Security to place a log in form in front of whatever URL is being requested.

The security configuration looks like this. It is very basic, block some resources, permit viewing assets, then make sure everything else is authenticated and place a log in form in front of not authenticated requests.

class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
        .antMatchers("/assets/**").permitAll()
        .antMatchers("/category/**").hasRole("ADMIN")
        .antMatchers("/subCategory/**").hasRole("ADMIN")
        .antMatchers("/audience/**").hasRole("ADMIN")
        .antMatchers("/location/**").hasRole("ADMIN")
        .anyRequest()
        .authenticated()
        .and()
      .formLogin()
        .loginPage('/authentication/login')
        .permitAll()
        .and()
      .logout()
        .logoutUrl("/authentication/logoutRedirect")
        .invalidateHttpSession(true)
        .permitAll()
  }

The issue occurs when there is a context path. If a URL like 'localhost:8080/context' is used, and authentication is successful, the application does NOT proceed to "/"(controller:'knowledgeAsset', action:'index') as expected.

However, when a URL like 'localhost:8080/context/' with the explicitly added trailing slash is used, and authentication is successful, the application DOES proceed to "/"(controller:'knowledgeAsset', action:'index') as expected.

[graemerocher]

Could you upload an example that reproduces the problem?

[kschmit90]

Example application reproducing the issue.

After pulling down and building/running the app, if you navigate to localhost:8080/context and attempt to log in with username: user and password: pwd the login screen will blink and not go to index.

If you navigate to localhost:8080/context/ and do the same you will get the index page.

https://github.com/kschmit90/grails3contextPathSecurityTest

[graemerocher]

@rwinch Any idea why login doesn't work with Spring Security and Grails when there is no trailing slash / in the URI? It doesn't seem to even hit the Grails layer, so seems a Spring Security config issue...

[rwinch]

The Issue

Summary

The issue can be summarized by the fact that the HttpServletRequest.getRequestURI() is returning /context instead of /context/. This cause the session information to be lost due to a "quirk" in Tomcat and the configuration of GrailsDispatcherServlet.

Details

The details are as follows:

• When a user requests /context Spring Security's ExceptionTranslationFilter uses the RequestCache to save the current request. The request that is returned from Tomcat is one that has a requestURI of /context. This can be observed by adding a breakpoint inside the constructor of DefaultSavedRequest
• After a user authenticates successfully, Spring Security's SimpleUrlAuthenticationSuccessHandler is used to determine the originally requested URL. This is done by consulting the DefaultSavedRequest which uses the requestURI to construct a redirect of http://localhost:8080/context
• A redirect is sent to http://localhost:8080/context for the request URL of http://localhost:8080/context/login which includes a JSESSIONID cookie that has a path of /context/. The authenticated user is associated to that session.
• The browser requests http://localhost:8080/context which will not include the JSESSIONID cookie since the path of the cookie is /context/ (NOTE the trailing slash) and the request path is /context (NOTE no trailing slash).
• Spring Security will not see the session because the JSESSIONID cookie was not included. This means the user is not authenticated and thus not authorized to view /context.
• Spring Security again saves the request of /context to the (new) session. The session is new because no JSESSIONID cookie was submitted with the request.
• Spring Security sends a redirect to the login page with a new JSESSIONID cookie since a new session was created to persist the saved request.

Jetty

This issue will not exist in Jetty because Jetty does not have the Filter intercept the URL /context. Also Jetty maps the JSESSIONID cookie to /context instead of /context/

Simplified Example

You can find a simplified example of the problem at https://github.com/rwinch/tomcat-context-trailing-slash

Fixing the Issue

Remapping GrailsDispatcherServlet

Tomcat will allow intercepting the URL /context when a servlet is mapped to /*. To fix it, the GrailsDispatcherServlet can be mapped to / (default servlet) instead. By mapping to the default servlet, Tomcat itself will perform a redirect from /context to /context/ so the application code will not be executed and avoid this bug.

sessionCookiePathUsesTrailingSlash

Alternatively (but not recommended), you can configure Tomcat to set sessionCookiePathUsesTrailingSlash to false. See the Tomcat Docs for how to do this and why it is not a good idea.

TBD

I'm currently in talks with the Tomcat team to see if the the difference in behavior for mapping the servlet to / vs /* is expected and if there are changes that should be made to Tomcat.

[graemerocher]

@rwinch Wow. Thanks for the fantastic thorough answer and response :)