Spring Security ACL plugin for grails by default uses the BasePermission class with 4 basic permissions. And uses DefaultFactory to assign this permissions. And AclPermissionEvaluator where this DefaultFactory is assigned.

When use this approach all is fine. I can use

    @PreAuthorize("hasPermission(#report, read)")

Here I provided one of the basic permissions called READ which is defined in BasePermission class.

What I need is my own custom permissions. I've done:

     public class MyPermission extends AbstractPermission{

        public static final Permission APPROVE= new MyPermission(1 << 0, 'a');

        //constructors here..  
     }

1) How correctly assign my custom permission to use it like I used permissions from BasePermission? 2)Should I define my CustomFactory or its possible to use DefaultFactory? 3)If yes, how to set it to existing permission evaluator?

Also another open question. I've played around with subclass of BasePermission, but in that case I should use

    @PreAuthorize("hasPermission(#report, 'approve')")

instead of just

    @PreAuthorize("hasPermission(#report, approve)")

4)Why in case of no single quotes I got the error?

     Class:org.springframework.expression.spel.SpelEvaluationException
     Message:EL1008E:(pos 28): Field or property 'approve' cannot be found on object of type 'org.springframework.security.access.expression.method.MethodSecurityExpressionRoot'

Thanks in advance!

You're better off extending org.springframework.security.acls.domain.BasePermission since that way you have all the standard permissions plus yours:

package com.mycompany.myapp.MyPermission;

public class MyPermission extends BasePermission {

   public static final Permission APPROVE = new MyPermission(1 << 5, 'V'); // 32

   protected MyPermission(int mask) {
      super(mask);
   }

   protected MyPermission(int mask, char code) {
      super(mask, code);
   }
}

You need to register it with the permission factory to make it available in expressions; override the aclPermissionFactory bean in grails-app/conf/spring/resources.groovy, passing your class as the constructor argument:

import org.springframework.security.acls.domain.DefaultPermissionFactory
import com.mycompany.myapp.MyPermission

beans = {
   aclPermissionFactory(DefaultPermissionFactory, MyPermission)
}

The reason it works unquoted with standard permissions is that MethodSecurityExpressionRoot has constants for the standard permissions:

public final String read = "read";
public final String write = "write";
public final String create = "create";
public final String delete = "delete";
public final String admin = "administration";

but there isn't one for yours, so you need to quote it to force a lookup in your permission class.