Note I am using Grails 2.0.4 and spring security core plugin 1.2.7.2

This appears to be a bug but I want to make sure I’m doing things correctly first. Basically, I want certain URLs secured with HTTPS, and the rest not, seems very standard. If a user goes to a non-secure URL, I don’t want them staying on HTTPS. Everything works fine until I add this line to accomplish the last point:

    '/**':          'REQUIRES_INSECURE_CHANNEL'

at which point for some reason all my secure controller names get rewritten with ‘grails’ and things break horribly. So for example if I go to

http://localhost:8080/login/index

it becomes

http://localhost:8080/grails/auth/index.dispatch 

(‘grails’ is not the name of my app nor do I have any controller named ‘grails’ – my app runs at root)

If I remove that entry for root wildcard, everything works fine, I no longer get that weird ‘grails’ in my URL, although I stay on https outside the pages I want secured.

Here is my full configuration. Note that secure pages don’t try and load any insecure resources that I can see, only things defined under ‘ANY_CHANNEL’

grails.plugins.springsecurity.secureChannel.definition = [
        '/login/**':         'REQUIRES_SECURE_CHANNEL',
        '/register/**':         'REQUIRES_SECURE_CHANNEL',
        '/changePassword/**':         'REQUIRES_SECURE_CHANNEL',
        '/userAccountManagement/**':    'REQUIRES_SECURE_CHANNEL',


        '/simpleCaptcha/**': 'ANY_CHANNEL',
        '/img/**':        'ANY_CHANNEL',
        '/images/**':        'ANY_CHANNEL',
        '/static/**':        'ANY_CHANNEL',

        '/**':          'REQUIRES_INSECURE_CHANNEL'  //remove this, everything OK

]