I think you have to use
grails.plugins.springsecurity.controllerAnnotations.staticRules = [
'/itemrest/**': ['IS_AUTHENTICATED_FULLY'],
//this will be redundant after the above rule I guess
'/api/**': ['IS_AUTHENTICATED_FULLY']
]
Urls which are not mapped in urlMapping has to refer the controller
directly in the rules. Have a look at the warning under controllerAnnotations.staticRules
in the docs.
When mapping URLs for controllers that are mapped in UrlMappings.groovy, you need to secure the un-url-mapped URLs. For example if you have a FooBarController that you map to /foo/bar/$action, you must register that in controllerAnnotations.staticRules as /foobar/**. This is different than the mapping you would use for the other two approaches and is necessary because controllerAnnotations.staticRules entries are treated as if they were annotations on the corresponding controller.