I have this in my Config.groovy:
grails.plugins.springsecurity.securityConfigType = 'InterceptUrlMap'
grails.plugins.springsecurity.interceptUrlMap = [
'/image/save/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/image/update/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**/save/**': ['ROLE_IMS_EDITOR'],
'/**/update/**': ['ROLE_IMS_EDITOR'],
'/grails/richmediafile/update.dispatch': ['ROLE_IMS_EDITOR'],
'/**/delete/**': ['ROLE_IMS_EDITOR'],
'/**/deleteRemote/**': ['ROLE_IMS_EDITOR'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']

When I access the URL /richmediafile/update, I'm able access it anonymously. I should not be able to, it should be secured.

With org.springframework.security loggers set to DEBUG, this is what I see in the logs:

2012-04-26 09:05:44,849 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/richmediafile/index'; to: '/richmediafile/index'
2012-04-26 09:05:44,849 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/richmediafile/index'; pattern is /**; matched=true
...
2012-04-26 09:05:44,852 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/grails/richmediafile/update.dispatch'; to: '/grails/richmediafile/update.dispatch'
2012-04-26 09:05:44,852 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/grails/richmediafile/update.dispatch'; pattern is /**; matched=true


My questions are:
- why doesn't Spring Security report matching against the url /richmediafile/update? Must we always use the "grails" and "dispatch" when constructing rules?
- Why won't it match even the rule /grails/richmediafile/update.dispatch either?
- and why does /richmediafile/index show up as an URL to be matched against?