Issue 566: isFullyAuthenticated() leads to redirect-loop in Grails 3.3.x

The issue appears to be related to the order in which the RememberMe filter was being loaded. This was resulting in a redirect loop caused by the `AccessDeniedException` being repeatedly thrown and then handled by the `ExceptionTranslationFilter`. The `AccessDeniedException` was being thrown because it was always checking the original requested URL, in this case `/role/index`. The request to `/role/index` is expected to throw an `AccessDeniedException` because that url is marked as requiring full authentication. Auto logging in with a RememberMe token is not considered to be fully authenticated. The problem was, it kept rechecking that original requested URL and never properly redirected to /login/auth. Reordering of the filters allows the filter chain to proceed as expected.
grails · May 30, 2019 · d8757fa · d8757fa · dustindclark · Sep 3, 2019
1 parent a44be30
commit d8757fa
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/plugin/src/main/groovy/grails/plugin/springsecurity/SecurityFilterPosition.groovy b/plugin/src/main/groovy/grails/plugin/springsecurity/SecurityFilterPosition.groovy
@@ -53,14 +53,14 @@ enum SecurityFilterPosition {
 	REQUEST_CACHE_FILTER,
 	/** SecurityContextHolderAwareRequestFilter */
 	SERVLET_API_SUPPORT_FILTER,
-	/** Remember-me cookie */
-	REMEMBER_ME_FILTER,
 	/** Anonymous auth */
 	ANONYMOUS_FILTER,
 	/** SessionManagementFilter */
 	SESSION_MANAGEMENT_FILTER,
 	/** Spring HttpPutFormContentFilter allows www-url-form-encoded content-types to provide params in PUT requests */
 	HTTP_PUT_FORM_CONTENT_FILTER,
+	/** Remember-me cookie */
+	REMEMBER_ME_FILTER,
 	/** ExceptionTranslationFilter */
 	EXCEPTION_TRANSLATION_FILTER,
 	/** FilterSecurityInterceptor */