I’m very happy with grails acegi plugin, aka Spring Security Plugin, but on my newest project I needed a finner grained way to do control access than using simple urls filters and roles.
I wanted a way to control which button, link, action of the current page the user can access. If the user has only read access to a page than the page is shown but edit action isn’t, because of this requirement using only roles to grant access isn’t enough and could easily became a mess if I create one role per action. Use urls filters won’t work because most urls are generated by ZK framework and hence are non predictable.
The solution is fully based on SpringSecurity capabilities and should work on every project that uses it independent of plugins or frameworks that I use.