I have a restController with a rest end point as list
import grails.converters.JSON
import grails.plugin.springsecurity.annotation.Secured
class MyRestController {
@Secured(['ROLE_ADMIN'])
def list() {
render(['status': 200, 'message': 'Access granted for list'] as JSON)
}
}
I applied RBAC on list for Role 'ROLE_ADMIN' but when I am accessing this controller without specifying action name(default URI for a controller), it's giving me response even when I am not logged in.
When I am calling API with URL http://localhost:8080/myRest/list, it's redirecting me to login page; which is the expected behaviour. But when I am hitting default url for controller in my browser, I am getting response.
API Calling URL: http://localhost:8080/myRest
Response: API response
{"status": 200,"message": "Access granted for list"}
Accessing http://localhost:8080/myRest should redirect me to login page or should give 404 but definitely should not respond me with list restAPI response.
I am using Grails 2.5.4. Please suggest if I am doing something wrong or how can I fix this vulnerability.