Grails 3 Spring安全性插件

Question

I am using Grails 3 and the Spring Security Plugin for authentication.

When I hit the following url manually, in my browser:

http://localhost:8080/cool-0.1/

I get the login page, and I can authenticate successfully, inferring that I type my username / password combo correctly.

Problem:

If I navigate to my page by using the original link, without the forward slash (IE: http://localhost:8080/cool-0.1 and not http://localhost:8080/cool-0.1/ ) I completely bypass the security, and am able to see the home page without authenticating. (Yes, I clear my cache, close all windows, etc)

My url mappings contain the following code:

"/"(controller: "home", action: "index")

My spring security groovy file contains the following code:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/login/**', access: ['permitAll']],
    [pattern: '/error', access: ['permitAll']],
    [pattern: '/**', access: 'isAuthenticated()']
]
grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**', filters: 'none'],
    [pattern: '/**/js/**', filters: 'none'],
    [pattern: '/**/css/**', filters: 'none'],
    [pattern: '/**/images/**', filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],
    [pattern: '/**', filters: 'JOINED_FILTERS']
]

I do not see what I am missing here. Why do the two scenarios cause issues? The documentation for Spring Security Grails 3 mentions nothing useful to solve this.

Answer 1

The solution was to use the ** pattern:

[pattern: '**', access: 'isAuthenticated()'],

The documentation provided said that the use of /** and ** is identical, however, by doing the experiment using both, it clearly is not.