Grails action is secured when I use run-app but not when .war is deployed

Question

My Grails app provides a REST API that is secured by the Spring Security 2.0-RC4 plugin. One of the actions does not require authentication and it looks like so

@Secured(['permitAll'])
class PdfController {

    static allowedMethods = [download: "POST"]
    static responseFormats = ['pdf']

    def download(String data) {
        log.debug "Generating PDF from form data $data"
        // impl omitted
    }
}

When I run the app locally via grails run-app or grails run-war everything works as expected, i.e. you can invoke this action without authenticating. However if I build a .war file with grails -Dgrails.env=dev war and deploy it to Tomcat on a staging server, I'm no longer able to invoke this endpoint anonymously.

On the staging server, if I try to invoke this action without authenticating, I get a 302 (redirect) response that redirects me to the login page. This is the behaviour I would expect for secured actions.

I'm not sure if this is relevant, but one difference between this action and all the others is that it is invoked by a form post so the data is expected to be x-www-form-urlencoded (all the other actions are invoked via AJAX and expect JSON data).

Answer 1

It's probably something sensitive to the environment setting - -Dgrails.env=dev selects a custom environment named "dev", not the standard environment which is named "development". You could build a "development" environment WAR file with the shorthand

grails dev war

For war the default environment is production, but for run-war it is development.