Grails Security Annotations, @Secured(['ROLE_ADMIN']) not displaying content for role

Question

I'm trying to render some content for all users and some for the ROLE_ADMIN. I can login as both the adminuser and useruser (authed via CAS) but see the same content for both

Here's the controller

package college.infotech.edu

    import java.awt.GraphicsConfiguration.DefaultBufferCapabilities;
    import grails.plugin.springsecurity.annotation.Secured

    class SecureController {

       @Secured(['ROLE_ADMIN', 'ROLE_USER'])
       def index() {
          render 'All Users see this'

       def showUserName
          render "<br />"   
          render request.remoteUser

          @Secured(['ROLE_ADMIN'])
          def showAdmin = {
             render "<br />"
             render "admin users see this"
          }
      }

Here's my bootstrap.groovy (which has been working and does authenticate via CAS

 .......

 def init = { servletContext ->

      def adminRole = new Role(authority: 'ROLE_ADMIN').save(flush: true)
      def userRole = new Role(authority: 'ROLE_USER').save(flush: true)

      def testUser = new AppUser(username: 'adminuser', password:'password', enabled: true, accountExpired: false, accountLocked: false, passwordExpired: false)
      testUser.save(flush: true)

      def testUser2 = new AppUser(username: 'useruser', password:'password', enabled: true, accountExpired: false, accountLocked: false, passwordExpired: false)
      testUser2.save(flush: true)

      UserRole.create testUser, adminRole, true
      UserRole.create testUser2, userRole, true

      assert AppUser.count() == 2
      assert Role.count() == 2
      assert UserRole.count() == 2
   }

   .......

Here's some relevant logs entries

[http-bio-8080-exec-8] DEBUG intercept.FilterSecurityInterceptor  - Secure object: FilterInvocation: URL: /secure/index; Attributes: [ROLE_ADMIN, ROLE_USER]
[http-bio-8080-exec-8] DEBUG intercept.FilterSecurityInterceptor  - Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@5d4cb3a4: Principal: grails.plugin.springsecurity.userdetails.GrailsUser@17617e0a: Username: adminuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CCFEACE94A4EC5FFB3B13ACA0E06BB1A; Granted Authorities: ROLE_ADMIN Assertion: org.jasig.cas.client.validation.AssertionImpl@37b7e6ad [http-bio-8080-exec-8] DEBUG hierarchicalroles.RoleHierarchyImpl  - getReachableGrantedAuthorities() - From the roles [ROLE_ADMIN] one can reach [ROLE_ADMIN] in zero or more steps.
[http-bio-8080-exec-8] DEBUG intercept.FilterSecurityInterceptor  - Authorization successful

Answer 1

That's a weird looking controller action. It's a method called index secured with either ROLE_ADMIN or ROLE_USER, and multiple render calls and a mysterious annotated showAdmin closure. In general you should only have one render call, and if Grails concatenates the rendered output from multiple calls for you, you should consider it a bug that will be fixed at some point.

The inner showAdmin closure isn't doing anything. It's just a closure in the middle of a method, and it's not called by Grails or your code. Since it's just an object inside a method, it's not seen by Grails as a callable action, and it's not seen by Spring Security as something to be guarded or processed.