常用方法注解：

@Secured(['ROLE_ADMIN']) // 只允许ROLE_ADMIN这个角色访问
def adminAction = {
}
@Secured(['IS_AUTHENTICATED_FULLY'])
@Secured(['ROLE_USER', 'IS_AUTHENTICATED_FULLY'])


传入表达式：

@PreAuthorize('permitAll()')
@PreAuthorize('isFullyAuthenticated()')
@PreAuthorize('isAuthenticated() and principal?.username == #note.author.username')
@PostAuthorize('isAuthenticated() and principal.username == returnObject.author.username') 
@PreAuthorize("@securityService.canRemoveNote(#id)")
@PreAuthorize("hasPermission(#id, 'com.mscharhag.Note', 'remove')")

允许非post方式注销

grails.plugin.springsecurity.logout.postOnly = false
指定加密方式

grails.plugin.springsecurity.password.algorithm = 'bcrypt'  //默认为bcrypt   SHA-256   pbkdf2等等

注入服务

def springSecurityService

获取登录用户

def username = springSecurityService?.principal?.username

获取登录用户角色(集合)

def roles = springSecurityService.getPrincipal().getAuthorities() //or springSecurityService.authentication.authorities //or springSecurityService?.principal?.authorities

清理requestmap缓存

springSecurityService.clearCachedRequestmaps()

gsp页面标签

//未登录
<sec:ifNotLoggedIn>
    登录
</sec:ifNotLoggedIn>

//已登录
<sec:ifLoggedIn>
    <sec:username/>
</sec:ifLoggedIn>

<!--同时匹配 -->
<sec:ifAllGranted roles="ROLE_ADMIN,ROLE_USER">
    ...
</sec:ifAllGranted>

<!--匹配任意一个 -->
<sec:ifAnyGranted roles='ROLE_ADMIN,ROLE_USER'>
    ...
</sec:ifAnyGranted>

<!--匹配非ROLE_USER角色 -->
<sec:ifNotGranted roles="ROLE_USER">
    ...
</sec:ifNotGranted>

<!--获取当前登录用户 -->
<sec:loggedInUserInfo field="username"/>

<!--匹配指定角色 -->
<sec:access expression="hasRole('ROLE_USER')">
    I'm a user.
</sec:access>

<!--匹配指定请求 -->
<sec:access url="/admin/user">
    The requestURL is "/admin/user"
</sec:access>