Lately I wrote about the Grails security plugin, not providing sufficient security if you configure it using annotations. The first thing you might have done after that, is secure your whole application in SecurityConfig.groovy, like this:
<!-- this provides basic security for the whole application --> /**=ROLE_XXX <!-- TODO: add more specific rules for specific patterns and pages -->
If you go to any page in your application, the grails security plugin will be triggered and send you to the login page… which is also secured, triggering the grails security plugin to send you to the login page…
Of course, you have to exclude the login page from the security rules. How can you do this? By adding a rule specific for the login page, allowing anonymous access to it:
<!-- this excludes the login page --> /login/**=IS_AUTHENTICATED_ANONYMOUSLY <!-- TODO: add more specific rules for specific patterns and pages --> <!-- this provides basic security for the whole application --> /**=ROLE_XXX
Note that the security rules must be ordered from more specific to less specific. If the security plugin finds a pattern that matches, it will not look at the other patterns anymore. That’s why the basic rule for securing the whole application must be put last.
