Recently, I stumbled upon a scenario where I had to map the roles from legacy database to spring security’s InterceptUrlMap and they did not have the ROLE_ prefix to them. I faced the following error:

 Field or property 'ADMIN' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot'

for the following InterceptUrlMap:

com.jft.prashant.sec.role.admin = 'ADMIN'

grails.plugin.springsecurity.interceptUrlMap = [
        '/static/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/plugins/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/skin/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/j_spring_security_check': ['IS_AUTHENTICATED_ANONYMOUSLY'],

        '/user/index': ['IS_AUTHENTICATED_FULLY'],
        '/user/**': [com.jft.prashant.sec.role.admin]
        // more mapping
]

Solution was to switch to the expression in the mapping like:

com.jft.prashant.sec.role.admin = 'ADMIN'
com.jft.prashant.sec.role.user = 'USER'

grails.plugin.springsecurity.interceptUrlMap = [
        '/static/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/plugins/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/skin/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/j_spring_security_check': ['IS_AUTHENTICATED_ANONYMOUSLY'],

        '/user/index': ['IS_AUTHENTICATED_FULLY'],
        '/user/**': ["hasAnyRole('${com.jft.prashant.sec.role.admin}')"],
        '/role/index': ['IS_AUTHENTICATED_FULLY'],
        '/role/**': ["hasAnyRole('${com.jft.prashant.sec.role.admin}')"],
        '/userRole/**': ["hasAnyRole('${com.jft.prashant.sec.role.admin}')"],
        '/*': ['IS_AUTHENTICATED_FULLY']
]

Fork the sample code from here to see it in action. Hope, it saves you from trouble. 🙂