Grails Spring Security plugin and dbconsole

Question

I use grails 2.4.3 and have installed the official grails security plugin

compile ":spring-security-core:2.0-RC4"

Before installing the plugin, i was able to access the Database console page in using the url

http://localhost:8080/tobu/dbconsole

However, after installing the plugin, i am not able to do so. I get the default login screen when i try to access the above mentioned URl and logging in through any user account shows the "access denied" page. How do i resolve this issue?

grails.project.groupId = appName 

grails.mime.disable.accept.header.userAgents = ['Gecko', 'WebKit', 'Presto', 'Trident']
grails.mime.types = [ // the first one is the default format
all:           '*/*', // 'all' maps to '*' or the first available format in withFormat
atom:          'application/atom+xml',
css:           'text/css',
csv:           'text/csv',
form:          'application/x-www-form-urlencoded',
html:          ['text/html','application/xhtml+xml'],
js:            'text/javascript',
json:          ['application/json', 'text/json'],
multipartForm: 'multipart/form-data',
rss:           'application/rss+xml',
text:          'text/plain',
hal:           ['application/hal+json','application/hal+xml'],
xml:           ['text/xml', 'application/xml']
]

grails.views.default.codec = "html"

grails.controllers.defaultScope = 'singleton'

grails {
views {
    gsp {
        encoding = 'UTF-8'
        htmlcodec = 'xml' // use xml escaping instead of HTML4 escaping
        codecs {
            expression = 'html' // escapes values inside ${}
            scriptlet = 'html' // escapes output from scriptlets in GSPs
            taglib = 'none' // escapes output from taglibs
            staticparts = 'none' // escapes output from static template parts
        }
    }
    // escapes all not-encoded output at final stage of outputting
    // filteringCodecForContentType.'text/html' = 'html'
}
}


grails.converters.encoding = "UTF-8"
grails.scaffolding.templates.domainSuffix = 'Instance'

grails.json.legacy.builder = false
grails.enable.native2ascii = true
grails.spring.bean.packages = []
grails.web.disable.multipart=false

grails.exceptionresolver.params.exclude = ['password']

grails.hibernate.cache.queries = false

grails.hibernate.osiv.readonly = false

environments {
development {
    grails.logging.jul.usebridge = true
}
production {
    grails.logging.jul.usebridge = false
    // TODO: grails.serverURL = "http://www.changeme.com"
}
}

log4j.main = {
// Example of changing the log pattern for the default console appender:
//
//appenders {
//    console name:'stdout', layout:pattern(conversionPattern: '%c{2} %m%n')
//}

error  'org.codehaus.groovy.grails.web.servlet',        // controllers
       'org.codehaus.groovy.grails.web.pages',          // GSP
       'org.codehaus.groovy.grails.web.sitemesh',       // layouts
       'org.codehaus.groovy.grails.web.mapping.filter', // URL mapping
       'org.codehaus.groovy.grails.web.mapping',        // URL mapping
       'org.codehaus.groovy.grails.commons',            // core / classloading
       'org.codehaus.groovy.grails.plugins',            // plugins
       'org.codehaus.groovy.grails.orm.hibernate',      // hibernate integration
       'org.springframework',
       'org.hibernate',
       'net.sf.ehcache.hibernate'
}


// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'tobu.Actor'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'tobu.ActorRole'
grails.plugin.springsecurity.authority.className = 'tobu.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/':                              ['permitAll'],
'/dbconsole':                     ['permitAll'],
'/index':                         ['permitAll'],
'/index.gsp':                     ['permitAll'],
'/assets/**':                     ['permitAll'],
'/**/js/**':                      ['permitAll'],
'/**/css/**':                     ['permitAll'],
'/**/images/**':                  ['permitAll'],
'/**/favicon.ico':                ['permitAll']
 ]

Answer 1

我不得不对配置文件中的静态规则进行以下更改。

'/dbconsole/**':                  ['ROLE_USER'],

Answer 2

2019 UPDATE

I needed to tweak Shashank's answer a bit for it to work for me. I'm using Grails 3.3.9 and spring-security-core 3.2.3.

I had to add this line to the file grails-app/conf/application.groovy

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    //.......
    [pattern: '/dbconsole/**',   access: ['ROLE_USER']] 
]

Answer 3

I wanted to have the dbconsole accessible without my custom authentication made using the Spring Security Core plugin (the dbconsole has its own login page and it's enabled for the dev environment only). Originally, I was trying the following static rule in the grails-app/conf/application.groovy file:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/dbconsole',      access: ['permitAll']],

...which didn't have any effect. I have always been redirected to Spring Security Core's login page.

After reading other answers of this question, I have managed to create a working static rule so http://localhost:8080/dbconsole is not secured by the Spring Security Core plugin anymore:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    [pattern: '/dbconsole/**',   access: ['permitAll']],

The trick is to create a static rule for /dbconsole and all sub-paths (when dbconsole is accessed, it redirects to a login page located at dbconsole/login.jsp ), that's why the double-stars are needed.