grails - simple App to test spring-security-core secure-channel on Heroku

Question

Because setting the ports in this question didn\'t solve the redirect loop problem, I created a bare-bones test app (grails 2.0, latest spring-security-core 1.2.7.1), so the

Answer 1

Probably best not to just randomly hack out stuff if you don't know why it's there :)

The IllegalStateException is coming from an incorrect ordering of filter-mapping elements in web.xml. Both spring-security-core and resources were positioning filter-mapping elements and were stepping on each other, so we updated the webxml plugin to support that by convention and made both plugins depend on that one. Due to bugs in plugin eviction with different dependent plugin versions, it's important that you use versions of spring-security-core and resources that depend on the same version of webxml.

New 2.0 apps declare a dependency on resources 1.1.5 which uses webxml v1.4, and spring-security-core 1.2.7+ uses 1.4.1, so you need to either not use resources or use version 1.1.6. Then there's no ambiguity and the correct version will be used, and the web.xml order will be correct. You should also register all plugins in BuildConfig and not use install-plugin; this will keep everything in one place and allow you to define exclusions, etc.

This is all independent of the SSL issues however, so it's best to focus on one issue at a time. I haven't used SSL on Heroku so I don't know what ports they use. I assume inside the firewall they use something other than 443 and then requests are routed out on 443. But this is independent of Grails and the spring-security-core plugin, so finding out how SSL is configured is just a general documentation issue.

Update

Ok, so based on the workaround in the link James posted I released a new version of the Spring Security plugin (v1.2.7.2) with support for X-Forwarded-Proto. Add grails.plugins.springsecurity.secureChannel.useHeaderCheckChannelSecurity = true to Config.groovy and it will use that approach instead of the more simplistic secure/insecure check. And the IllegalStateException is due to a bug in the way Heroku deploys Grails 2.0 applications. Plugin dependencies aren't getting resolved when building the war, so you need to be explicit. So be sure to add

compile ":spring-security-core:1.2.7.2"
compile ':webxml:1.4.1'
compile ":heroku:1.0"
compile ':cloud-support:1.0.8'

to BuildConfig.groovy to be sure that webxml (a spring-security-core dependency) and cloud-support (a heroku dependency) get installed and deployed.