The problem with the above security file seems to be with the principal expression element. When I re-write the xml so that the opening tag and the content of the principal expression are on the same line, the filter works. <principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] } </principalExpression>[/code]When split across lines, it doesn't seem to work. <principalExpression> authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERUSER','ROLE_USER'] } </principalExpression>[/code]