Combination of security access constraints using Grails

Question

I am using spring-security-core + spring-security-rest and in most endpoints i am using URL static rules in Config.groovy

e.g.

'/app/clientdata/**':              ['IS_AUTHENTICATED_FULLY'],
'/app/opendata/**':                ['permitAll'],    
'/app/secretdata/**':              ['hasRole("ADMIN_ROLE")'],

However for some endpoints i am interested in restrictions by HTTP METHOD (get, post, ...) or by object method.

The question is ... should/can i mix different securization approaches (url static rules + annotation based on class, on method) ?

and

Are there any option that allows me to restrict based on HTTP METHOD ... e.g. some methods with one role others with other role?

Thanks,

Answer 1

Also as i've experienced it's totally possible to mix these two different ways so you can define a '/app/opendata/**':['permitAll'] and later define a more restrictive constraint at object method level using @Secured(["ROLE_XXX"])

Answer 2

Yes, but it's new and not documented yet. Instead of using a simple map like the current style where the key is the pattern, and the value is the list of roles and expressions, each line is a map with three keys; pattern, access, and httpMethod with httpMethod being optional for each line. So it would look something like

[
   [pattern: '/app/clientdata/**', access: ['IS_AUTHENTICATED_FULLY'], httpMethod: 'GET'],
   [pattern: '/app/opendata/**', access: ['permitAll']],
   [pattern: '/app/secretdata/**', access: ['hasRole("ADMIN_ROLE")'], httpMethod: 'POST']
]