Many of Grails plugin like searchable and console can prove to be really dangerous if access to their URLs is not blocked. After adding searchable plugin to my project, I realized that access to its controllers was not defined and was open for all. Now this was a major security concern. There are many ways of restricting access like doing it manually in filters. But since I am using spring security plugin, there was a better way out. It allows to create mapping (static rules) as configuration for different user roles.
There are different ways of securing url in spring security plugin. And since I am using annotations, I’ll be defining static rule for annotations only.
[java]
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
‘/console/**’: [‘ROLE_ADMIN’],
‘/searchable/**’: [‘ROLE_ADMIN’]
]
[/java]
By doing this I blocked access for all but ones with the role “ROLE_ADMIN” for console and searchable controllers.