source: trunk/grails-app/conf/SecurityConfig.groovy @ 138

security {

    def authenticateService

        // see DefaultSecurityConfig.groovy for all settable/overridable properties

        active = true

        loginUserDomainClass = "Person"
    userName = 'loginName'
    password = 'password'
    enabled = 'isActive'

        authorityDomainClass = "Authority"

    //Required if we want to run "grails generate-manager"
    //Which recreates the controller and views, so save the views!
//     requestMapClass = 'Requestmap'

    useRequestMapDomainClass = false
    useControllerAnnotations = true

    //Set true especially if used across the internet.
    forceHttps = 'false'

    //Pessimistic locking, deny access to all URLs that don't 
    //have an applicable URL-Role configuration.
    //This forces us to set an annotation, static rule or
    //extend BaseController and prevents accidentally leaving pages open.
    controllerAnnotationsRejectIfNoRule = true
    
    //Static rules for controllers, actions and urls.
    //Since we are using pessimistic locking we have to set some things
    //here but most security should be set in the controllers.
    controllerAnnotationStaticRules = [
    '/': ['IS_AUTHENTICATED_FULLY'],
    '/index.gsp': ['IS_AUTHENTICATED_FULLY'],
    '/css/*': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/plugins/help-balloons-1.2/**': ['IS_AUTHENTICATED_FULLY'],
     '/plugins/richui-0.6/**': ['IS_AUTHENTICATED_FULLY'],
     '/plugins/class-diagram-0.3/**': ['IS_AUTHENTICATED_FULLY'],
    '/classDiagram/**': ['IS_AUTHENTICATED_FULLY'],
    '/login*': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
    '/logout*': ['IS_AUTHENTICATED_FULLY'],
    '/logout/**': ['IS_AUTHENTICATED_FULLY']
    ]

    //We always want to go to the home page so that bookmarks are not used.
    defaultTargetUrl = '/appCore/welcome'
    alwaysUseDefaultTargetUrl = true

    //User caching, turned this off so that password changes take effect.
    //It would appear that user is still in the session as logout/login
    // is still required for role changes to take effect.
    //If this option causes high database load try:
    //  import org.acegisecurity.providers.dao.DaoAuthenticationProvider
    //  import org.acegisecurity.context.SecurityContextHolder
    //  DaoAuthenticationProvider daoAuthenticationProvider 
    //  def user = SecurityContextHolder.context.authentication.principal.username 
    //  daoAuthenticationProvider.userCache.removeUserFromCache(user)
    //  in logout controller and perhaps on password change and role change.
    cacheUsers = false

//    //List for and events and run the closure(s) that follow.
//    //Unfortunately the session is not available yet so many things can't be done here, us an defaultTargetUrl and controller.
//    useSecurityEventListener = true
//
//    onAuthenticationSuccessEvent = { e, appCtx ->
//        def p = e.source.principal
//        def personInstance = Person.findByLoginName(p.username)
//        println p.username
//        println personInstance.loginName
//        println personInstance.firstName
//    }

}