How to configure Spring security in Grails

Following are the steps to configure spring security in grails:

1. Create project using  command grails create-app projectName.

2.  Configure Spring security core

First of all, we have to install Spring Security Core plugin into our project. Edit  BuildConfig.groovy and modify the plugins section as below:

plugins {

// plugins for the build system only
build “:tomcat:7.0.42″

// plugins for the compile step
compile “:scaffolding:2.0.0″
compile ‘:cache:1.1.1′

// plugins needed at runtime but not for compilation
runtime “:hibernate:″ // or “:hibernate4:″
runtime “:database-migration:1.3.5″
runtime “:jquery:1.10.2″ // <– If using 1.8.3, update to this version
runtime “:resources:1.2″

compile ‘:spring-security-core:2.0-RC2′ //Added


Then run (optionally grails cleangrails compile while in project’s directory to have the plugin installed.

3. Let Spring Security Core plugin to create required  models and controllers for us. For that we have to run command


This will create 3 domain classes User, Role and UserRole.

And also in controller it will create 2 controllers LoginController and LogoutController which along with views/login/auth.gsp and views/login/denied.gsp.

4. Add the end of Config.groovy file you can see these lines added by spring security plugin

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName =      ‘’
grails.plugin.springsecurity.userLookup.authorityJoinClassName       = ‘’
grails.plugin.springsecurity.authority.className =     ‘’

5. At this step, Spring Security Core is configured properly.

Edit  BootStrap.groovy to tell Grails about our sample    users/roles.


class BootStrap {

def init = { servletContext ->
def adminRole = new Role(authority: ‘ROLE_ADMIN’).save(flush: true)
def userRole = new Role(authority: ‘ROLE_USER’).save(flush: true)

def testUser = new User(username: ‘admin’, enabled: true, password: ‘admin’) true)

UserRole.create testUser, adminRole, true

assert User.count() == 1
assert Role.count() == 2
assert UserRole.count() == 1

def destroy = {

6. Now you can use @Secured to to secure access to methods of controller based on roles. For example,


def index(){

render ‘Some sensitive data’



ProsperaSoft offers Grails development solutions. You can email at to get in touch with ProsperaSoft Grails experts and consultants.