This is not a bug or anything in any framework, but it’s a very subtle error you can get when building a WAR file based on Grails 3.x using Spring Security plugin.

When annotating classes with @Secured annotation, it’s extremely important that you use the correct annotation.

You can actually use both :

import grails.plugin.springsecurity.annotation.Secured
import org.springframework.security.access.annotation.Secured

And both will work fine, running grails from command line or in as self contained jar file, but if you make a war file out of your project and deploy it to tomcat, you will see an error like this:

Caused by: org.grails.core.exceptions.GrailsConfigurationException: Error configuring dynamic methods for plugin [springSecurityCore:3.0.3]: null
at grails.plugins.DefaultGrailsPluginManager.doDynamicMethods(DefaultGrailsPluginManager.java:714)

and

Caused by: java.lang.NullPointerException
at grails.plugin.springsecurity.web.access.intercept.AnnotationFilterInvocationDefinition.findActionRoles(AnnotationFilterInvocationDefinition.groovy:453)
at grails.plugin.springsecurity.web.access.intercept.AnnotationFilterInvocationDefinition.findAnnotations(AnnotationFilterInvocationDefinition.groovy:420)

So what’s happening here is that if you use the org.springframework annotation in your classes, it will not work, since it will expect it to be the grails.plugin version of the annotation. Very subtle indeed.