I am trying to follow the tutorial at http://alvarosanchez.github.io/grails-angularjs-springsecurity-workshop/ with grails 3.2.0.M2 with angularjs profile.
The build.gradle has the following
compile 'org.grails.plugins:spring-security-core:3.1.1'
compile "org.grails.plugins:spring-security-rest:2.0.0.M2"
My application.groovy has the follwoing
grails.plugin.springsecurity.userLookup.userDomainClassName = 'workspace.kernel.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'workspace.kernel.UserRole'
grails.plugin.springsecurity.authority.className = 'workspace.kernel.Role'
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.rejectIfNoRule = true
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/ats/**', access: ['permitAll']],
[pattern: '/login/**', access: ['permitAll']],
[pattern: '/index/**', access: ['permitAll']],
[pattern: '/', access: ['permitAll']],
[pattern: '/error', access: ['permitAll']],
[pattern: '/index', access: ['permitAll']],
//[pattern: '/welcome.gsp', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']],
[pattern: '/dbconsole/**', access: ['permitAll']]
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[pattern: '/**', filters: 'JOINED_FILTERS']
//[pattern: '/**', filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter']
]
I have intentionally not used the '/api/**' prefix because I imagine that I will have to change multiple javascript.
I am successfully able to sign in and also get the token but after that many of the actions are returning 403 status. For example
@Transactional
@Secured(['ROLE_ADMIN'])
def save(User user) {
if (user == null) {
transactionStatus.setRollbackOnly()
render status: NOT_FOUND
return
}
if (user.hasErrors()) {
transactionStatus.setRollbackOnly()
respond user.errors, view: 'create'
return
}
user.save flush: true
respond user, [status: CREATED, view: "show"]
}
On the other side some of the requests do not require the token at all! For example the following, it works regardless of the absence of the token
@Transactional
@Secured(['ROLE_ADMIN'])
def processUpload() {
println params.file.getOriginalFilename()
String xmlReponse = resumeParserService.parse(params.file.getBytes(), "txt")
println 'response received'
def xmlObj = new XmlSlurper().parseText(xmlReponse)
println 'xml slurped'
Map candidate =[:];
candidate.firstName = xmlObj.personalInformation.firstname.text()
candidate.lastName = xmlObj.personalInformation.lastname.text()
candidate.email = xmlObj.personalInformation.email.text()
candidate.mobile = xmlObj.personalInformation.phoneNumber.text()
candidate.highestQualification = xmlObj.personalInformation.isced.name.text()
xmlObj.binaryDocuments.document.each{
if(it.class.text().startsWith('plot_')){
candidate[it.class.text()] = it.binary.text()
}
}
// println 'values assigned'
println candidate
render candidate as JSON
}
Finally my request from rest client 
I am least interested in making my website stateless; is there a way to make all my grails 3 controllers statful and just use spring-security-core?