Authentication using Grails Spring Security REST Plugin - grails

I came across the Greach 2014 presentation of Alvaro. I downloaded the example from GitHub and started it.
When I try to authenticate with
curl -i -H "Content-Type: application/json" -X POST -d '{"username":"jimi","password":"jimispassword"}' http://localhost:8080/restful-grails-springsecurity-greach2014/api/login
I am getting this on the curl side.
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Mon, 18 May 2015 14:57:07 GMT
Connection: close
On serverside I see that.
|Server running. Browse to http://localhost:8080/restful-grails-springsecurity-greach2014
....2015-05-18 16:57:07,840 [http-bio-8080-exec-4] DEBUG util.AntPathRequestMatcher - Request '/api/login' matched by universal pattern '/**'
2015-05-18 16:57:07,841 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-05-18 16:57:07,842 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
2015-05-18 16:57:07,842 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-05-18 16:57:07,844 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 2 of 11 in additional filter chain; firing Filter: 'MutableLogoutFilter'
2015-05-18 16:57:07,844 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 3 of 11 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
2015-05-18 16:57:07,846 [http-bio-8080-exec-4] DEBUG web.FilterChainProxy - /api/login at position 4 of 11 in additional filter chain; firing Filter: 'RestAuthenticationFilter'
2015-05-18 16:57:07,878 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Actual URI is /api/login; endpoint URL is /api/login
2015-05-18 16:57:07,878 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Applying authentication filter to this request
2015-05-18 16:57:07,919 [http-bio-8080-exec-4] DEBUG credentials.DefaultJsonPayloadCredentialsExtractor - No JSON body sent in the request
2015-05-18 16:57:07,919 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Username and/or password parameters are missing.
2015-05-18 16:57:07,920 [http-bio-8080-exec-4] DEBUG rest.RestAuthenticationFilter - Setting status to 400
2015-05-18 16:57:07,921 [http-bio-8080-exec-4] DEBUG context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-05-18 16:57:07,922 [http-bio-8080-exec-4] DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
No JSON body sent in the request. How do I have to send this using cURL?
Or why doesn't it pick up my
-X POST -d '{"username":"jimi","password":"jimispassword"}'


Change your cURL request as:
curl -i -H "Content-Type: application/json" -X POST -data '{"username":"jimi","password":"jimispassword"}' http://localhost:8080/restful-grails-springsecurity-greach2014/api/login
Notice that i have changed the '-d' with '--data'


I think my problem is rather cURL-syntax related than grails related. I tested with Firefox RestClient and it is working fine.

Related

Jenkins: nexusPolicyEvaluation fails with "Could not verify application public id from IQ Server"

I have Nexus IQ Plugin v.2.19.0-01 installed on my jenkins and calling the nexusPolicyEvaluation in the dsl pipeline as follows
nexusPolicyEvaluation failBuildOnNetworkError: true, iqApplication: 'TestApp', iqStage: 'build', jobCredentialsId: ''
This worked fine until today where I suddenly receive the following error:
org.apache.http.client.HttpResponseException: Resource not found, please check your request URL.
at com.sonatype.nexus.api.m.a(SourceFile:60)
at com.sonatype.nexus.api.m.a(SourceFile:65)
at com.sonatype.nexus.api.n.a(SourceFile:67)
at com.sonatype.nexus.api.cy.verifyOrCreateApplication(SourceFile:75)
Caused: com.sonatype.nexus.api.exception.IqClientException: Could not verify application public id from IQ Server
at com.sonatype.nexus.api.cy.verifyOrCreateApplication(SourceFile:78)
at com.sonatype.nexus.api.iq.IqClient$verifyOrCreateApplication.call(Unknown Source)
at org.sonatype.nexus.ci.iq.IqPolicyEvaluatorUtil.evaluatePolicy(IqPolicyEvaluatorUtil.groovy:52)
at org.sonatype.nexus.ci.iq.IqPolicyEvaluatorUtil$evaluatePolicy.call(Unknown Source)
at org.sonatype.nexus.ci.iq.PolicyEvaluatorExecution.run(PolicyEvaluatorExecution.groovy:48)
at org.sonatype.nexus.ci.iq.PolicyEvaluatorExecution.run(PolicyEvaluatorExecution.groovy)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1$1.call(SynchronousNonBlockingStepExecution.java:49)
at hudson.security.ACL.impersonate(ACL.java:260)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution$1.run(SynchronousNonBlockingStepExecution.java:46)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE
There were no changes made to the call in the pipeline nor to the general settings in Jenkins - the url and credentials are correct and "Test Connection" is successful.
In addition I checked the IQ server, which is running and I actually get a valid response when issuing an web request
Invoke-WebRequest 'http://clm.mycompany.intra:8070/api/v2/applications?publicId=TestApp' -Headers $headers
Any clue how I can verify the url? I also do not find any useful information when googling for the errors. So I am a bit lost what could cause the problem.
Update 1:
The application log clm-server.log on the IQ server tells me the following
2018-05-14 13:01:24,413+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.session.mgt.DefaultSessionManager - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey#67c99f0c]. Returning null to indicate a session could not be found.
2018-05-14 13:01:24,413+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'reverseProxy' is not enabled for the current request. Proceeding without invoking this filter.
2018-05-14 13:01:24,413+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [admin] from doGetAuthenticationInfo
2018-05-14 13:01:24,413+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [admin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)].
2018-05-14 13:01:24,678+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.authc.AbstractAuthenticator - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)]. Returned account [admin]
2018-05-14 13:01:24,678+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:01:24,678+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:01:24,678+0200 DEBUG [qtp903987069-37 - GET /rest/policy/stages?context=ci] admin com.sonatype.insight.brain.policy.LicensedStagesResource - Received request to get licensed stages for context ci
2018-05-14 13:01:24,725+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.session.mgt.DefaultSessionManager - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey#40c8a5a8]. Returning null to indicate a session could not be found.
2018-05-14 13:01:24,725+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'reverseProxy' is not enabled for the current request. Proceeding without invoking this filter.
2018-05-14 13:01:24,725+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [admin] from doGetAuthenticationInfo
2018-05-14 13:01:24,725+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [admin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)].
2018-05-14 13:01:24,975+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.authc.AbstractAuthenticator - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)]. Returned account [admin]
2018-05-14 13:01:24,975+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:01:24,975+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:01:24,975+0200 DEBUG [qtp903987069-33 - GET /rest/policy/stages?context=ci] admin com.sonatype.insight.brain.policy.LicensedStagesResource - Received request to get licensed stages for context ci
2018-05-14 13:15:03,906+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.session.mgt.DefaultSessionManager - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey#3b2a0d51]. Returning null to indicate a session could not be found.
2018-05-14 13:15:03,906+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'reverseProxy' is not enabled for the current request. Proceeding without invoking this filter.
2018-05-14 13:15:03,906+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [admin] from doGetAuthenticationInfo
2018-05-14 13:15:03,906+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [admin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)].
2018-05-14 13:15:04,187+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.authc.AbstractAuthenticator - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)]. Returned account [admin]
2018-05-14 13:15:04,187+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:15:04,187+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:15:04,187+0200 DEBUG [qtp903987069-141 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] admin com.sonatype.insight.jaxrs.error.ErrorResponseGenerator - null for uri: http://clm.mycompany.intra:8070/rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION
2018-05-14 13:15:05,016+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.session.mgt.DefaultSessionManager - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey#64719843]. Returning null to indicate a session could not be found.
2018-05-14 13:15:05,016+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.web.servlet.OncePerRequestFilter - Filter 'reverseProxy' is not enabled for the current request. Proceeding without invoking this filter.
2018-05-14 13:15:05,016+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [admin] from doGetAuthenticationInfo
2018-05-14 13:15:05,016+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [admin]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)].
2018-05-14 13:15:05,329+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.authc.AbstractAuthenticator - Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false (10.120.16.12)]. Returned account [admin]
2018-05-14 13:15:05,329+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:15:05,329+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] org.apache.shiro.subject.support.DefaultSubjectContext - No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup.
2018-05-14 13:15:05,329+0200 DEBUG [qtp903987069-37 - POST /rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION] admin com.sonatype.insight.jaxrs.error.ErrorResponseGenerator - null for uri: http://clm.mycompany.intra:8070/rest/integration/applications/verifyOrCreate/TestApp?goal=EVALUATE_APPLICATION
2

We still use an older version of Nexus IQ server and it appears that the latest version of the Platform Plugin (3.0.20180425-130011.728733c) adds a feature which requires IQ Server 1.47+. Therefore downgrading to the previous plugin release (3.0.20180214-134325.e135900) solves the problem.
Thanks to SonaType for the quick help in that.

Spring zuul proxy not accepting bearer token

I have a zuul proxy (http://localhost:8765) serving an angular web app (http://localhost:8080/app). Behind the zuul proxy there is also an oauth2 server (http://localhost:8899).
The web resources are proxied under http://localhost:8765/web and the resources are proxied under http://localhost:8765/api.
The Zuul proxy serves the static web resources without authentication. So the first authentication is done through a JSON call (GET /api/user) which of course fails with 401.
Now I forward the page to "http://localhost:8899/uaa/oauth/authorize?response_type=token&client_id=web&redirect_uri=http://localhost:8765/web/index.html" to make an implicit grant oauth 2 flow. I can authorize now the web application and get forwarded back to my web app. The token is part of the url and I can parse it.
IMHO the only thing I now have to do is to add this token as Authorization header (e.g. Authorization:Bearer 2829d5e2-4fbe-4f91-b74d-c99b2fe894a7). But the zuul proxy won't accept this request as authorized.
I am using spring boot 1.3.2 and spring cloud Brixton.M4.
The Zuul Server Application can be found here and the security config here.
Here are my request headers:
Accept:application/json
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:Bearer 2829d5e2-4fbe-4f91-b74d-c99b2fe894a7
Connection:keep-alive
Cookie:XSRF-TOKEN=a6ddea36-e3b7-4f22-b80c-b4c8b6fd7760; JSESSIONID=DAE4649D11386D586A0CF739148E505A; XSRF-TOKEN=3a7a57ad-68f6-4cc6-923b-4e8fe340fe1e
Host:localhost:8765
Referer:http://localhost:8765/web/index.html
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
X-Auth-Token:2829d5e2-4fbe-4f91-b74d-c99b2fe894a7
X-Requested-With:XMLHttpRequest
X-XSRF-TOKEN:a6ddea36-e3b7-4f22-b80c-b4c8b6fd7760
My Zuul configuration is:
server:
context-path: /
security:
user:
password: none
oauth2:
sso:
loginPath: /login
client:
accessTokenUri: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/oauth/token
userAuthorizationUri: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/oauth/authorize
clientId: web
resource:
userInfoUri: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/user
preferTokenInfo: false
zuul:
routes:
web-portal:
path: /web/**
url: http://localhost:8080/app
user:
path: /api/user/**
url: ${authserver.protocol}://${authserver.hostname}:${authserver.port}/${authserver.contextPath}/user
authentication-service:
path: /uaa/**
stripPrefix: false
---
spring:
profiles: local
logging:
level:
org:
springframework:
security: DEBUG
authserver:
protocol: http
hostname: localhost
port: 8899
contextPath: uaa
The zuul server log is:
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/api/user' matched by universal pattern '/**'
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2016-02-11 17:11:02.958 DEBUG 3242 --- [nio-8765-exec-4] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#5571734d. A new one will be created.
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#42c144ce
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher#4ad95822
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 5 of 13 in additional filter chain; firing Filter: ''
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/user' doesn't match 'POST /logout
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 7 of 13 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/login'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DAE4649D11386D586A0CF739148E505A; Granted Authorities: ROLE_ANONYMOUS'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.security.web.FilterChainProxy : /api/user at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/index.html'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/home.html'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/web/**'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/user'; against '/uaa/oauth/**'
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/user; Attributes: [authenticated]
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DAE4649D11386D586A0CF739148E505A; Granted Authorities: ROLE_ANONYMOUS
2016-02-11 17:11:02.959 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter#77816ac4, returned: -1
2016-02-11 17:11:02.960 DEBUG 3242 --- [nio-8765-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
How can I force the authentication on the zuul proxy against the access token?
--- Edit:
If I enable the authentication for the static web resource by removing the http security exception for it, I get forwarded to the authorization page. When the request gets forwarded back everything works. The zuul proxy forwards to the oauth server with its /login URL as return address. This seems to be the correct way. I suppose it saves some information in its session and after that forwards back to the initial requesting page (in my case /web/index.html).
When I now restart the authentication service (like simulating expired token) the resources from the web application are served, but the request to /api/user (proxied to the authentication server) is denied.
Same happens when I come from a manually constructed authorize URL like
http://localhost:8899/uaa/oauth/authorize?response_type=token&client_id=web&redirect_uri=http://localhost:8765/web/index.html. First I get to the authorization page of the oauth server. This is correct. On click on authorize the request gets forwarded to the web app (/web/index.html). All static content is served without problem, but access to /api/user is again denied. This time with an error logged in the oauth server: Invalid access token: dff5121b-06e4-4bd7-b48e-08ad82d71404

zuul api not forward header by default so disable it we need to add it
zuul:
sensitive-headers: Cookie,Set-Cookie

You should move to Spring Boot 1.3x.
Then, you can annotate you Zulu Proxy with #EnableOAuath2Sso annotation.
In your application.yml for Zuul, specify the following (for Spring Boot 1.3x):
security:
user:
password: none
oauth2:
client:
accessTokenUri: ${oauthserver}:${oauthport}/oauth/token
userAuthorizationUri: ${oauthserver}:${oauthport}/oauth/authorize
clientId: acme
clientSecret: acme secret

Thanks to #Dave I can answer my own question:
To have the Zuul proxy acception the OAuth Bearer Token header, you have to configure it as a resource server instead a SSO server.
Remove the #EnableOAuth2Sso annotation and use the #EnableResourceServer annotation instead. First I had still my WebSecurityConfigurerAdapter in place. So this was fixed by changing
#Configuration
#EnableOAuth2Sso
public class OAuthConfiguration extends WebSecurityConfigurerAdapter {
to
#Configuration
#EnableResourceServer
public class OAuthConfiguration extends ResourceServerConfigurerAdapter {
If one should use the implicit authentication is another topic (see comment from Dave).

By default the Zuul Proxy will remove certain headers because it deems them to sensitive and no other server should receive them. It has a list of cookies and headers it needs to remove. This needs to be overridden. The way to do this for a particular route is:
zuul:
routes:
profile-service-chaining:
sensitiveHeaders:
stripPrefix: false
serviceId: profile-service-chaining
path: /services/profiles
The line 'sensitiveHeaders:' will empty the cookies headers. This will cause all headers to be past to the server the request will be sent to. This will allow the Authorization header to sent to the target server. As the Zuul documentation says make sure to always remove sensitive headers. To do this the add:
sensitiveHeaders: Cookie
The above will remove the Cookie header before it is passed to the next server as specified by the Zuul route.

Getting errors in sendkeys command in appium (v.1.2.0) under selendroid mode (Real Device < 17 )

I just updated Appium 1.1.0 to 1.2.0, With previous version automation worked fine. But surprisingly when i update Appium i got below errors in sendkeys.
Appium Logs:
info: <-- POST /wd/hub/session/892ef5c3-267a-f50d-e28b-9b26a9ccd785/element 200 70.640 ms - 122
info: --> POST /wd/hub/session/892ef5c3-267a-f50d-e28b-9b26a9ccd785/element/d764396c-6598-5920-d8c1-85ee7c2f44e5/value {"id":"d764396c-6598-5920-d8c1-85ee7c2f44e5","value":["abc"]}
debug: Appium request initiated at /wd/hub/session/892ef5c3-267a-f50d-e28b-9b26a9ccd785/element/d764396c-6598-5920-d8c1-85ee7c2f44e5/value
debug: Request received with params: {"id":"d764396c-6598-5920-d8c1-85ee7c2f44e5","value":["abc"]}
debug: Setting text on element 'd764396c-6598-5920-d8c1-85ee7c2f44e5': 'abc'
debug: Making http request with opts: {"url":"http://localhost:8080/wd/hub/session/892ef5c3-267a-f50d-e28b-9b26a9ccd785/element/d764396c-6598-5920-d8c1-85ee7c2f44e5/value","method":"POST","json":{"value":["abc"]}}
**debug: Responding to client with error: {"status":13,"value":{"message":"An unknown server-side error occurred while processing the command. (Original error: connect ECONNREFUSED)","code":"ECONNREFUSED","errno":"ECONNREFUSED","syscall":"connect","origValue":"connect ECONNREFUSED"},"sessionId":"892ef5c3-267a-f50d-e28b-9b26a9ccd785"}**
info: <-- POST /wd/hub/session/892ef5c3-267a-f50d-e28b-9b26a9ccd785/element/d764396c-6598-5920-d8c1-85ee7c2f44e5/value 500 7.627 ms - 293
info: --> DELETE /wd/hub/session/892ef5c3-267a-f50d-e28b-9b26a9ccd785 {}
Driver info: test.utils.SwipeableWebDriver
Capabilities [{automationName=selendroid, platformVersion=16, platform=ANDROID, acceptSslCerts=true, javascriptEnabled=true, platformName=android, handlesAlerts=true, browserName=selendroid, networkConnectionEnabled=true, rotatable=true, takesScreenshot=true, version=0.10.0}]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.openqa.selenium.remote.ErrorHandler.createThrowable(ErrorHandler.java:204)
at org.openqa.selenium.remote.ErrorHandler.throwIfResponseFailed(ErrorHandler.java:156)
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:599)
at io.appium.java_client.AppiumDriver.execute(AppiumDriver.java:84)
at org.openqa.selenium.remote.RemoteWebElement.execute(RemoteWebElement.java:268)
at org.openqa.selenium.remote.RemoteWebElement.sendKeys(RemoteWebElement.java:89)
at test.screens.SignUpPage.fillPassword(SignUpPage.java:37)
at test.utils.Functions.UserLogin(Functions.java:98)
at test.LaunchTest.testLogin(EnigmaLaunchTest.java:121)
Thanks,
Priyank Shah

I was having a similar error message and the problem was solved by changing the none default Selendroid port number to the default 8080. Try that and see what happens...

Spring Security: HttpSession lost after authentication

I'm trying to use Spring Security 3.1, but I'm losing my HttpSession after the authentication. I'm getting: "No HttpSession currently exists" after having a correct HttpSession created.
I'm getting the following log:
08 janv. 2014 19:53:59 DEBUG HttpSessionSecurityContextRepository - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl#bce8a84f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#bce8a84f: Principal: org.springframework.security.core.userdetails.User#3b40b2f: Username: ADMIN; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: qx1qn1vbjxx71xedid64oi977; Granted Authorities: ROLE_ADMIN'
08 janv. 2014 19:53:59 DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'spring': assuming HandlerAdapter completed request handling
08 janv. 2014 19:53:59 DEBUG DispatcherServlet - Successfully completed request
08 janv. 2014 19:53:59 DEBUG ExceptionTranslationFilter - Chain processed normally
08 janv. 2014 19:53:59 DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
08 janv. 2014 19:54:00 DEBUG HttpSessionSecurityContextRepository - No HttpSession currently exists
08 janv. 2014 19:54:00 DEBUG HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
08 janv. 2014 19:54:00 DEBUG FilterChainProxy - /index at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
08 janv. 2014 19:54:00 DEBUG AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
What could be the problem?
UPDATE:
I found my problem... I had a file that I should have cared about before:
jetty-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN"
"http://jetty.mortbay.org/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="usingCookies" type="boolean">false</Set>
</Get>
</Get>
</Configure>
I was disabling the cookies myself...

I found my problem... I had a file that I should have cared about before:
jetty-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN"
"http://jetty.mortbay.org/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="usingCookies" type="boolean">false</Set>
</Get>
</Get>
</Configure>
I was disabling the cookies myself... I've deleted this file and it's now working.

Url Mapping fails for /oauth/token - Spring security + OAuth in a Grails application

I am building a grails application that includes:
Spring Security (Spring MVC project; NOT the Grails plugin)
"OAuth for Spring Security" to implement an OAuth2 provider
To accomplish this, I followed the following steps:
grails install-templates [see here]
in src/templates/war/web.xml, add the Spring Security filter as below:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
define Spring Security and OAuth beans in WEB-INF/applicationContext.xml file including the following for handling /oauth/token
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
....
....
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
Issue: The issue that I am facing is that Spring Security filters fire correctly and successfully authenticate the client. But after that, the GrailsDispatcherServlet is unable to find a handler for the POST to /oauth/token and returns a "404 Resource not found" error.
In the debug log, I can see that /oauth/token is mapped to a handler
2013-06-17 19:21:04,469 [localhost-startStop-1] INFO endpoint.FrameworkEndpointHandlerMapping - Mapped "{[/oauth/token],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.lang.String,java.util.Map)
I suspect, this happens because when GrailsDispatcherServlet and ApplicationContext is created, the Grails' DefaultUrlMappingsHolder creates a new set of URL mappings in that context and replaces the previous set of mappings. For e.g., I also see the following in my debug log
2013-06-17 19:31:01,339 [localhost-startStop-1] DEBUG mapping.DefaultUrlMappingsHolder - Reverse mapping: [DefaultUrlMappingsHolder.UrlMappingKey#250f9a46 controller = 'account', action = [null], plugin = [null], params = set['API_VERSION']] -> /()/provisioning/order/account/()?
Here's the debug log for when I make an HTTP post to //oauth/token
2013-06-17 19:31:05,798 [http-bio-8080-exec-1] DEBUG util.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2013-06-17 19:31:05,804 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /oauth/token at position 1 of 5 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-06-17 19:31:05,805 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /oauth/token at position 2 of 5 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2013-06-17 19:31:05,807 [http-bio-8080-exec-1] DEBUG www.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'j2'
2013-06-17 19:31:05,808 [http-bio-8080-exec-1] DEBUG authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2013-06-17 19:31:05,813 [http-bio-8080-exec-1] DEBUG www.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#ffff9a33: Principal: org.springframework.security.core.userdetails.User#d08: Username: j2; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ALL; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ALL
2013-06-17 19:31:05,813 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /oauth/token at position 3 of 5 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-06-17 19:31:05,814 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /oauth/token at position 4 of 5 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-06-17 19:31:05,814 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /oauth/token at position 5 of 5 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-06-17 19:31:05,814 [http-bio-8080-exec-1] DEBUG util.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2013-06-17 19:31:05,815 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/token; Attributes: [IS_AUTHENTICATED_FULLY]
2013-06-17 19:31:05,815 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#ffff9a33: Principal: org.springframework.security.core.userdetails.User#d08: Username: j2; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ALL; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ALL
2013-06-17 19:31:05,815 [http-bio-8080-exec-1] DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter#35f3198f, returned: 0
2013-06-17 19:31:05,815 [http-bio-8080-exec-1] DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter#6b1316f4, returned: 1
2013-06-17 19:31:05,815 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Authorization successful
2013-06-17 19:31:05,816 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2013-06-17 19:31:05,816 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /oauth/token reached end of additional filter chain; proceeding with original chain
2013-06-17 19:31:05,826 [http-bio-8080-exec-1] DEBUG mvc.GrailsWebRequestFilter - Bound Grails request context to thread: SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.connector.RequestFacade#519cea9e]]
2013-06-17 19:31:05,846 [http-bio-8080-exec-1] DEBUG filter.UrlMappingsFilter - Executing URL mapping filter...
2013-06-17 19:31:05,847 [http-bio-8080-exec-1] DEBUG filter.UrlMappingsFilter - URL Mappings
------------
/
/(*)/provisioning/order/account/(*)?
/(*)/provisioning/order/demographics/(*)?
/(*)/provisioning/inventory/phone_numbers/(*)?
/(*)/billing/regions/(*)?
/(*)/billing/countries/(*)?
/(*)/provisioning/credit_cards/(*)?
/(*)/provisioning/states/(*)?
/(*)/provisioning/countries/(*)?
/(*)/provisioning/phone_cities/(*)?
/(*)/general/languages/(*)?
/(*)/docs/constraints/(*)?
2013-06-17 19:31:05,847 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/]
2013-06-17 19:31:05,847 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/order/account/(*)?]
2013-06-17 19:31:05,847 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/order/demographics/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/inventory/phone_numbers/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/billing/regions/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/billing/countries/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/credit_cards/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/states/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/countries/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/provisioning/phone_cities/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/general/languages/(*)?]
2013-06-17 19:31:05,848 [http-bio-8080-exec-1] DEBUG mapping.DefaultUrlMappingsHolder - Attempting to match URI [/oauth/token] with pattern [/(*)/docs/constraints/(*)?]
2013-06-17 19:31:05,857 [http-bio-8080-exec-1] DEBUG filter.UrlMappingsFilter - No match found, processing remaining filter chain.
2013-06-17 19:31:05,860 [http-bio-8080-exec-1] DEBUG mvc.GrailsWebRequestFilter - Cleared Grails thread-bound request context: SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.connector.RequestFacade#519cea9e]]
2013-06-17 19:31:05,860 [http-bio-8080-exec-1] DEBUG access.ExceptionTranslationFilter - Chain processed normally
2013-06-17 19:31:05,860 [http-bio-8080-exec-1] DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Any ideas on how to "share"/"propagate" those Spring /oauth/token mappings with the Grails Dispatcher?

I ran into similar symptoms when trying to get my /oauth/authorize endpoint to work properly. In order to get things going, I had to add the following to UrlMappings.groovy:
"/oauth/authorize" (uri:"/oauth/authorize.dispatch")
"/oauth/token" (uri:"/oauth/token.dispatch")
This solution came from examining the source for a grails spring-security-oauth provider plugin:
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
Note that getting this setup to work completely might also involve updating the grails cache plugin: when using 1.0.1, I received a 500 after I got the mapping to work (when trying to load /oauth/authorize). Upgrading my cache plugin to 1.1.1 fixed that issue for me.
Hope something in there is useful.

Resources