Grails Programmer : How to secure your Grails 3 API with Spring Security REST for Grails?

For this post I will continue reusing the code I created in the How to use Spring Security Core to Secure your Grails 3 app post

In this post we are going to expose our app product announcements as JSON API and secure it with Spring Security REST for Grails plugin.

Lets create a service to encapsulate the logic.

$ grails create-service ProductAnnouncement 
| Created grails-app/services/myapp/ProductAnnouncementService.groovy
| Created src/test/groovy/myapp/ProductAnnouncementServiceSpec.groovy

with the content:

package myapp

import grails.transaction.Transactional

class ProductAnnoucementService {

    List<ProductAnnouncement> lastAnnouncements() {

        ProductAnnouncement.createCriteria().list {
    	    order("dateCreated", "desc")


Lets create a controller for our API endpoints.

$ grails create-controller Api
| Created grails-app/controllers/myapp/ApiController.groovy
| Created src/test/groovy/myapp/ApiControllerSpec.groovy

Lets define a controller action to expose the last announcements as a JSON payload

package myapp

import grails.plugin.springsecurity.annotation.Secured

class ApiController {

    def productAnnoucementService

    def announcements() {
        render(contentType: "application/json") {
            announcements {
                for(a in productAnnoucementService.lastAnnouncements()) {
                    announcement(message: a.message)

Install Spring Security REST for Grails

To install it we need to add a dependency to build.gradle

buildscript {
    ext {
        grailsVersion = project.grailsVersion
    repositories {
        maven { url "" }
    dependencies {
        classpath "org.grails:grails-gradle-plugin:$grailsVersion"
        classpath "com.bertramlabs.plugins:asset-pipeline-gradle:2.5.0"
        classpath "org.grails.plugins:hibernate4:5.0.0"

version "0.1"
group "myapp"

apply plugin:"eclipse"
apply plugin:"idea"
apply plugin:"war"
apply plugin:"org.grails.grails-web"
apply plugin:"org.grails.grails-gsp"
apply plugin:"asset-pipeline"

ext {
    grailsVersion = project.grailsVersion
    gradleWrapperVersion = project.gradleWrapperVersion

repositories {
    maven { url "" }

dependencyManagement {
    imports {
        mavenBom "org.grails:grails-bom:$grailsVersion"
    applyMavenExclusions false

dependencies {
    compile "org.springframework.boot:spring-boot-starter-logging"
    compile "org.springframework.boot:spring-boot-autoconfigure"
    compile "org.grails:grails-core"
    compile "org.springframework.boot:spring-boot-starter-actuator"
    compile "org.springframework.boot:spring-boot-starter-tomcat"
    compile "org.grails:grails-dependencies"
    compile "org.grails:grails-web-boot"
    compile "org.grails.plugins:cache"
    compile "org.grails.plugins:scaffolding"
    compile "org.grails.plugins:hibernate4"
    compile "org.hibernate:hibernate-ehcache"
    console "org.grails:grails-console"
    profile "org.grails.profiles:web:3.1.1"
    runtime "org.grails.plugins:asset-pipeline"
    runtime "com.h2database:h2"
    testCompile "org.grails:grails-plugin-testing"
    testCompile "org.grails.plugins:geb"
    testRuntime "org.seleniumhq.selenium:selenium-htmlunit-driver:2.47.1"
    testRuntime "net.sourceforge.htmlunit:htmlunit:2.18"
    compile 'org.grails.plugins:spring-security-core:3.0.3'
    compile "org.grails.plugins:spring-security-rest:2.0.0.M2"

task wrapper(type: Wrapper) {
    gradleVersion = gradleWrapperVersion

assets {
    minifyJs = true
    minifyCss = true

Spring Security REST for Grails exposes an endpoint /api/login which we can access with a POST request. We should supply our credentials (username and password) as parameters. If we are successfully authenticated we will get an access_token and a refresh_token.


We can do a GET request to our http://localhost:8080/api/announcements endpoint. We need to add an HTTP header:
Header Name: Authorization
Header Value: Bearer access_token

The access_token is the one we got back from the api/login endpoint.

The above request is illustrated here:

Note were are using a JSON Web Token (JWT) which we don’t need to store on the server side. The token validation is done without a repository (database or similar) call. Thus, better for the scalability of the application.

Access token expire. However in the api/login method we got a refresh token which we can use to get a new access token. We can do POST request as shown below:

Oauth Refresh token

Do you like to read about Groovy/Grails development? Yes, then Subscribe to Groovy Calamari a weekly curated email newsletter about the Groovy ecosystem which I write 

3 thoughts on “Grails Programmer : How to secure your Grails 3 API with Spring Security REST for Grails?

Leave a Reply

Your email address will not be published. Required fields are marked *