You have to implement your own Filter, Authentication Provider and Authentication token (to pass data to your Provider).

See:

• what is securty filter chain - http://static.springsource.org/spring-security/site/docs/3.0.x/reference/security-filter-chain.html
• authentication providers - http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-services.html#core-services-dao-provider
• how to register your filter into Spring Secutory Core plugin - http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/16%20Filters.html
• and, if you need an example, take a look at some existing authentication subplugins for Spring Security Core - http://grails.org/plugin/spring-security-core

List item

If you are using basic authorization header, then following configuration works for you in context-security.xml file.

< http  auto-config="true" use-expressions="true" pattern="/project/api/**">
        < intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="${security.requires.channel}" method="POST"/>
        < custom-filter ref="basicAuthenticationFilter" position="PRE_AUTH_FILTER"/>
    < /http>    
    < beans:bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
        < beans:property name="authenticationManager" ref="authenticationManager" />
        < beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />      
    < /beans:bean>

I have used same approach for rest services But you need to be careful that whatever scheme you use for encoding username and password, same scheme you should use in filter for decoding 'Authorization' header information. If you are using some custom scheme for encoding 'Authorization' header, then you need to extend 'BasicAuthenticationFilter' and provide appropriate decoding of 'Authorization' header