I have been instructed to upgrade some legacy Grails 2.x applications to Grails 3.0.14. Since applications used the Spring-Security-Core plugin, I updated it to 3.0.3. However, I quite often come across inaccessible static resources that give this error:
java.lang.IllegalStateException: There was a problem retrieving the current GrailsWebRequest. This usually indicates a filter ordering issue (the 'springSecurityFilterChain' filter-mapping element must be positioned after the 'grailsWebRequest' element when using @Secured annotations).
I don't have a specific FilterRegistrationBean filter, I don't use SpringSecurityUtils.clientRegisterFilter, and there is no web.xml, so I'm not sure how applications can change the default servlet filter order to cause this problem.
The only difference seems to be in my .groovy application:
grails.plugin.springsecurity.filterChain.chainMap = [ [pattern: '/assets/**', filters: 'none'], [pattern: '/**', filters: 'JOINED_FILTERS'] ]
If I remove the filters: “no”, everything works. I know that Spring Security 3.1.x has outdated filters = "none" in Java applications, and in more modern versions it is not fully supported. Is this what causes this strange error message?
source share