spring security core secure custom url

Question

I am using grails 2.3.9 and spring-security-core:2.0-RC3 and using staticRules for security.

I have following security configurations in Config file:

grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.mkb.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.mkb.UserRole'
grails.plugin.springsecurity.authority.className = 'com.mkb.Role'
grails.plugin.springsecurity.useSwitchUserFilter = true
grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.adh.errorPage = null
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/': ['permitAll'],
    '/index': ['permitAll'],
    '/index.gsp': ['permitAll'],
    '/**/js/**': ['permitAll'],
    '/**/css/**': ['permitAll'],
    '/**/images/**': ['permitAll'],
    '/**/favicon.ico': ['permitAll'],

    '/controllerC/**': ['ROLE_USER'],

    '/**': ['permitAll']
]

there security configurations works fine.

Now I have following URL mappings

"/test/controllerA/$action?/$id?(.${format})?"(controller: 'controllerA')
"/test/controllerB/$action?/$id?(.${format})?"(controller: 'controllerB')

and I required to set the security for the URLs that have /test/, ie., URLs myDomain.com/test/controllerA/** and myDomain.com/test/controllerB/** are accessible to users that have ROLE_ABC role.

I have tried with

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/': ['permitAll'],
    '/index': ['permitAll'],
    '/index.gsp': ['permitAll'],
    '/**/js/**': ['permitAll'],
    '/**/css/**': ['permitAll'],
    '/**/images/**': ['permitAll'],
    '/**/favicon.ico': ['permitAll'],

    '/test/**': ['ROLE_ABC'],

    '/**': ['permitAll']        
]

but this did not work, any user can access the controllers.

How I define the security?

NOTE:- I cannot use @Secured annotations. I need securities in Config only

Answer 1

You would have to explicitly specify the controllers in static rules as below:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    ...

    '/controllerA/**': ['ROLE_ABC'],
    '/controllerB/**': ['ROLE_ABC'],

    ....
]

I think this is exactly how you already have for controllerC as

'/controllerC/**': ['ROLE_USER'],

Refer this answer for details. As the doc suggests, this is also applicable for controller from plugins where @Secured cannot be used if source code is unreachable.