Sometimes the answer to a problem is staring you right in your face. Across several evenings I spent a number of hours trying to work out why my URL based security using Acegi for my Grails application I am working on would not work. I though I was misunderstanding how to specify the wildcards using Ant syntax, and so kept trying many different variations of patterns to try and match the URLs I was trying to protect.
It finally dawned on me that the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON instruction defined with the FilterSecurityInterceptor was causing all my problems. Some of my URLs contain mixed case, and I had blindly copied them into my configuration file, and forgot all about this setting to convert all URLs to lower case before comparing. Wow, that seems so obvious now, but I think it took me at least 6 hours of head scratching and reading many posts online before I worked out what was going wrong.
For an example of my configuration file and more details, see my other post here.