Closed mvniekerk closed 10 years ago
ghost
commented
10 years ago Then you need to add rule(s) to your Spring Security configuration to allow unauthenticated users to access the simple captcha URLs. In most cases the easiest way to do this is described here:
I'm closing this issue because I don't think any changes to the plugin are necessary. Please reopen with more details if the solution I've proposed won't work for you.
mvniekerk
commented
10 years ago Just for completeness' sake, I've added the following to my Config.groovy:
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/simpleCaptcha/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll']
]The relevant entry for this plugin is:
'/simpleCaptcha/**': ['permitAll'],
ghost
commented
10 years ago For further completeness there is an option in v.2 of Spring Security to make URLs accessible by default (as in version 1). If you enable this option, by adding the following to Config.groovy
grails.plugin.springsecurity.rejectIfNoRule = true
then it's not necessary to change grails.plugin.springsecurity.controllerAnnotations.staticRules for simple captcha to be accessible. However, this will also make any other unguarded URLs in your application publicly accessible, so don't follow this approach unless you're sure you understand what you're doing.
SpringSecurity has changed from blacklist to whitelist in terms of security (such as, in the pass you have to secure it for it to use spring, but now you have to "unsecure" it).
The end result is the link to the captcha jpg is now a login screen.