Re: [PR] Add YAML examples for staticRules and interceptUrlMap [grails-spring-security]

Wed, 18 Feb 2026 17:50:25 -0800 


jamesfredley commented on code in PR #1206:
URL: 
https://github.com/apache/grails-spring-security/pull/1206#discussion_r2825266066


##########
plugin-core/docs/src/docs/requestMappings/securedAnnotations.adoc:
##########
@@ -145,19 +145,70 @@ class Thing {
 
 ==== controllerAnnotations.staticRules
 
-You can also define "`static`" mappings that cannot be expressed in the 
controllers, such as '/pass:[**]' or for JavaScript, CSS, or image URLs. Use 
the `controllerAnnotations.staticRules` property, for example:
+You can also define "`static`" mappings that cannot be expressed in the 
controllers, such as '/pass:[**]' or for JavaScript, CSS, or image URLs. Use 
the `controllerAnnotations.staticRules` property.
+
+In `application.groovy`:
 
 [source,groovy]
+.Listing {counter:listing}. Static rules in `application.groovy`
 ----
 grails.plugin.springsecurity.controllerAnnotations.staticRules = [
-   ...
    [pattern: '/js/admin/**',   access: ['ROLE_ADMIN']],
    [pattern: '/someplugin/**', access: ['ROLE_ADMIN']]
 ]
 ----
 
+Or equivalently in `application.yml`:
+
+[source,yaml]
+.Listing {counter:listing}. Static rules in `application.yml` (flow mapping)
+----
+grails:
+    plugin:
+        springsecurity:
+            controllerAnnotations:
+                staticRules:
+                    - { pattern: '/js/admin/**',   access: ['ROLE_ADMIN'] }
+                    - { pattern: '/someplugin/**', access: ['ROLE_ADMIN'] }
+----
+
+Block mapping syntax also works:
+
+[source,yaml]
+.Listing {counter:listing}. Static rules in `application.yml` (block mapping)
+----
+grails:
+    plugin:
+        springsecurity:
+            controllerAnnotations:
+                staticRules:
+                    - pattern: '/js/admin/**'
+                      access:
+                          - ROLE_ADMIN
+                    - pattern: '/someplugin/**'
+                      access:
+                          - ROLE_ADMIN
+----
+
 This example maps all URLs associated with `SomePluginController`, which has 
URLs of the form `/somePlugin/...`, to `ROLE_ADMIN`; annotations are not an 
option here because you would not edit plugin code for a change like this.
 
+[IMPORTANT]
+====
+The `staticRules` value must be a *List* of Maps. A common YAML mistake is 
omitting the `-` list indicator, which produces a single Map instead:
+
+[source,yaml]
+.Listing {counter:listing}. Incorrect - single Map instead of List of Maps
+----
+# WRONG - this is a Map, not a List of Maps
+staticRules:
+    pattern: '/**'
+    access:
+        - permitAll

Review Comment:
   Fixed in 9cc31a2 - expanded the incorrect example to include the full 
`grails.plugin.springsecurity.controllerAnnotations` path.



##########
plugin-core/docs/src/docs/requestMappings/securedAnnotations.adoc:
##########
@@ -145,19 +145,70 @@ class Thing {
 
 ==== controllerAnnotations.staticRules
 
-You can also define "`static`" mappings that cannot be expressed in the 
controllers, such as '/pass:[**]' or for JavaScript, CSS, or image URLs. Use 
the `controllerAnnotations.staticRules` property, for example:
+You can also define "`static`" mappings that cannot be expressed in the 
controllers, such as '/pass:[**]' or for JavaScript, CSS, or image URLs. Use 
the `controllerAnnotations.staticRules` property.
+
+In `application.groovy`:
 
 [source,groovy]
+.Listing {counter:listing}. Static rules in `application.groovy`
 ----
 grails.plugin.springsecurity.controllerAnnotations.staticRules = [
-   ...
    [pattern: '/js/admin/**',   access: ['ROLE_ADMIN']],
    [pattern: '/someplugin/**', access: ['ROLE_ADMIN']]
 ]
 ----
 
+Or equivalently in `application.yml`:
+
+[source,yaml]
+.Listing {counter:listing}. Static rules in `application.yml` (flow mapping)
+----
+grails:
+    plugin:
+        springsecurity:
+            controllerAnnotations:
+                staticRules:
+                    - { pattern: '/js/admin/**',   access: ['ROLE_ADMIN'] }
+                    - { pattern: '/someplugin/**', access: ['ROLE_ADMIN'] }
+----
+
+Block mapping syntax also works:
+
+[source,yaml]
+.Listing {counter:listing}. Static rules in `application.yml` (block mapping)
+----
+grails:
+    plugin:
+        springsecurity:
+            controllerAnnotations:
+                staticRules:
+                    - pattern: '/js/admin/**'
+                      access:
+                          - ROLE_ADMIN
+                    - pattern: '/someplugin/**'
+                      access:
+                          - ROLE_ADMIN
+----
+
 This example maps all URLs associated with `SomePluginController`, which has 
URLs of the form `/somePlugin/...`, to `ROLE_ADMIN`; annotations are not an 
option here because you would not edit plugin code for a change like this.

Review Comment:
   Fixed in 9cc31a2 - changed the prose to `/someplugin/...` to match the URL 
patterns.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to