Grails 7 - grails-spring-security Doc - default approch

[arjangch]

Expected Behavior

grails-spring-security is using pessimistic approach by default as it says in section 4.1. Pessimistic Lockdown. Which is true I have tested it.

Actual Behaviour

But grails-spring-security Doc section 1.1.3, presumes Public approach by default. Methods in Controller should be lockdown by @Secured(['ROLE_USER'])

Steps To Reproduce

See section 1.1.3 and 4.1 of Spring Security Core Plugin - Reference Documentation

Environment Information

java=21.0.8-zulu gradle=8.14.3 groovy=4.0.28 grails=7.0.0-RC2

Example Application

No response

Version

7

[jamesfredley]

@Secured(['ROLE_USER']) is not necessary to test 401/403, but is useful to test 200 for authenticated and authorized user. we should make this more clear

https://github.com/apache/grails-spring-security/blob/5de214c90a2ebf38242461b2cfb1f65c0265d800/plugin-core/docs/src/docs/introduction/installation.adoc?plain=1#L77-L83