Grails 7 - grails-spring-security Doc - Static Request Map

[arjangch]

Expected Behavior

I am following doc https://apache.github.io/grails-spring-security/7.0.x/core-plugin/guide/index.html section 4.5. Static Map. If i don't add securityConfigType line, everything works fine as expected.
grails.plugin.springsecurity.securityConfigType = "InterceptUrlMap"
then I add static rules
grails.plugin.springsecurity.controllerAnnotations.staticRules = [ ... ] grails.plugin.springsecurity.filterChain.chainMap = [ ... ]
But if i add this securityConfigType line (as document says i should) i get not authorized error.

Actual Behaviour

when i add the line securityConfigType, i get not authorized. For example index page is permitAll but still I get not authorized.
[pattern: '/assets/**', access: ['permitAll']], [pattern: '/index', access: ['permitAll']], [pattern: '/index.gsp', access: ['permitAll']],
Confusing part is, /assets/ are permitted. This works http://localhost:8083/example3/assets/grails.svg but this is not authorized http://localhost:8083/example3/

Steps To Reproduce

See my Example3 config
Am i configuring this wrong?

Environment Information

java=21.0.8-zulu
gradle=8.14.3
groovy=4.0.28
grails=7.0.0-RC2

Example Application

https://github.com/arjangch/grails-project-helper/blob/main/example3

Version

7.0.0-RC2

[bkoehm]

I don't see where in the docs that it says to use securityConfigType = "InterceptUrlMap" when using controllerAnnotations.staticRules. The only time that securityConfigType="InterceptUrlMap" is used is when springsecurity.interceptUrlMap is in use instead of controllerAnnotations.staticRules. Looking through the docs, the docs seem consistent on this, so I don't see anything in the docs that need to be corrected.

What I do generally agree on is that supporting both controllerAnnotations.staticRules and springsecurity.interceptUrlMap is confusing and I'm not sure why there is a need for both. This recently came up in the comments of PR #1182 (which was in response to your #1181). Neither @matrei nor I know why interceptUrlMap would be used over staticRules.

I do think it's worth a discussion, perhaps on the mailing list, about the purpose of interceptUrlMap and whether we should be still keeping it around. At the very least, we should clarify the differences between the two in the documentation, but for that to happen, we need to collectively figure out what those differences are.

[jamesfredley]

They are very, very similar. interceptUrlMap is for one of the 3 configuration types and is meant to be used for all mappings. staticRules does the same thing, but works when the configuration type is set to annotation or requestmap as a supplement/hybrid.