Restricting Access To Plugin’s Classes With Spring Security

03 / May / 2012 by Hitesh Bhatia 0 comments

Many of Grails plugin like searchable  and console can prove to be really dangerous if access to their URLs is not blocked. After adding searchable plugin to my project, I realized that access to its controllers was not defined and was open for all. Now this was a major security concern. There are many ways of restricting access like doing it manually in filters. But since I am using spring security plugin, there was a better way out. It allows to create mapping (static rules) as configuration for different user roles.

There are different ways of securing url in spring security plugin. And since I am using annotations, I’ll be defining static rule for annotations only.

grails.plugins.springsecurity.controllerAnnotations.staticRules = [

'/console/**': ['ROLE_ADMIN'],

'/searchable/**': ['ROLE_ADMIN']


By doing this I blocked access for all but ones with the role “ROLE_ADMIN”  for console and searchable controllers.

Hitesh Bhatia

Leave a comment -