My problem:

I would love to use the Spring Security plugin’s access control/authorization mechanism with my Grails application without having to use the plugin’s authentication mechanism. The various Grails Spring Security plugin examples (like this one) I’ve found combine these two functions. Is there an easy way to just do access control?

Background:

• I would like to add roles-based access control to my existing app. I would love to either just annotate my controllers or use the Config.groovy map approach for setting up the access control.
• My app already has a user domain class.
• The user domain class already handles encrypting passwords using BCrypt.
• The app does not have a "role" domain class.
• I already have controller actions, views and business logic for handling logging in and logging out. I have no interest in replacing this with the plugin’s implementation.

On the right track, but not quite helpful:

I know this is possible to do, as explained in this other question: BUT, that questions and its answers explains how to do it in a Java app using the raw Spring Security framework. I would love for someone to lay out how to do this in a way that is compatible with the latest version (1.2.7.3 as of this writing) of the Grails Spring Security plugin. I don’t want to reinvent wheels that have already been taken care of by the plugin.

In addition, this example explains how to do some of this, but it appears to be outdated because it is based on an older version of the plugin that uses Spring Security 2.x. It also only uses custom authentication for one piece of the app, while it looks like it still uses the Spring Security plugin’s domain classes elsewhere.

How to do it?

Can someone lay out an approach for me?
I assume I need to create my Role domain class.
After that I assume it will involve custom Authentication objects and the like. But how do I hook them into use the plugin’s existing code?