How to configure grails / spring authentication scheme for each url?

You must do basic authentication without attack. To do this, make the following changes to your code.
UrlMappings.groovy

 "/api/restLogin"(controller: 'api', action: 'restLogin', parseRequest: true) 

Config.groovy

 grails.plugin.springsecurity.useBasicAuth = true grails.plugin.springsecurity.basic.realmName = "Login to My Site" grails.plugin.springsecurity.filterChain.chainMap = [ '*' : 'statelessSecurityContextPersistenceFilter,logoutFilter,authenticationProcessingFilter,customBasicAuthenticationFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter,basicExceptionTranslationFilter,filterInvocationInterceptor', '/api/': 'JOINED_FILTERS,-basicAuthenticationFilter,-basicExceptionTranslationFilter' ] 

resources.groovy

 statelessSecurityContextRepository(NullSecurityContextRepository) {} statelessSecurityContextPersistenceFilter(SecurityContextPersistenceFilter, ref('statelessSecurityContextRepository')) { } customBasicAuthenticationEntryPoint(CustomBasicAuthenticationEntryPoint) { realmName = SpringSecurityUtils.securityConfig.basic.realmName } customBasicAuthenticationFilter(BasicAuthenticationFilter, ref('authenticationManager'), ref('customBasicAuthenticationEntryPoint')) { authenticationDetailsSource = ref('authenticationDetailsSource') rememberMeServices = ref('rememberMeServices') credentialsCharset = SpringSecurityUtils.securityConfig.basic.credentialsCharset // 'UTF-8' } basicAccessDeniedHandler(AccessDeniedHandlerImpl) basicRequestCache(NullRequestCache) basicExceptionTranslationFilter(ExceptionTranslationFilter, ref('customBasicAuthenticationEntryPoint'), ref('basicRequestCache')) { accessDeniedHandler = ref('basicAccessDeniedHandler') authenticationTrustResolver = ref('authenticationTrustResolver') throwableAnalyzer = ref('throwableAnalyzer') } 

CustomBasicAuthenticationEntryPoint.groovy

 public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { response.sendError(HttpServletResponse.SC_UNAUTHORIZED); } } 

Apicontroller

 @Secured('permitAll') class ApiController { def springSecurityService @Secured("ROLE_USER") def restLogin() { User currentUser = springSecurityService.currentUser println(currentUser.username) } }