Grails Spring Security: Anonymous pages not showing authentication information

Question

I'm using the Spring Security plugin in Grails. I have a controller which uses annotations for some of the secure actions but not for non-secure content. And sure enough, the sec:isLoggedIn and other sec:loggedInUserInfo tags work for the secured actions, but they always show up as non logged in even when the user is logged in for the non-secure views. Here's what my controller looks like:

class ContentController {
    def anonymousContent() {
        getContent(params, 'pages')
    }

    @Secured(['ROLE_USER', 'ROLE_ADMIN'])
    def secureContent() {
        getContent(params, 'secure')
    }

    private getContent(params, path) {
        def viewPath = "${path}/${params.view}"
        render(view: viewPath, model: params)
    }
}

I should mention that I am using some custom authentication as part of a SSO solution which basically has me overriding a couple classes like AuthenticationProvider, AbstractAuthenticationToken, LoginUrlAuthenticationEntryPoint, AbstractAuthenticationProcessingFilter, but I wouldn't think it should be causing this issue.

Any ideas would be appreciated. Thanks

Answer 1

For anyone else running in to this problem, I managed to find the issue was related to mod_proxy. I was using it to hide my context path which was in turn causing the servlet to have trouble reading the session cookie for my app. For unauthenticated pages this would mean it created a whole new session each time. For authenticated pages, it would create a new session as well, but thanks to our SSO authentication mechanism it would actually re-authenticate with each request. Probably good we caught it as that's an expensive operation. The answer was really to set the cookie path (setCookiePath) to root ('/') in our tomcat configuration. Hope that helps someone else :)