I have an application where I am using spring security along with grails melody. I am planning to run grails melody in production environment, but don't want visitors to have access to it. How should I achieve that ? I tried creating a filter in grails (just showing the sample of what I am trying, not the actual code)-

def filters = {
    allURIs(uri:'/**') {
        before = {
            //...
            if(request.forwardURI.indexOf("admin") != -1 ||
        request.forwardURI.indexOf("monitoring") != -1) {
                response.sendError 404
                return false 
            }
        }
    }
}

But this doesnt work as the request for "monitoring" doesnt hit this filter. I dont even want the user to know that such a URL exists, so I want to check in the filter that if "monitoring" is the URL, I show the 404 error page. Thats also the reason why I dont want to protect this URL with spring security as it will show "access denied" page.

Basically I want the URL to exist but they should be invisible to users. I want the access to be open to only certain IP addresses for these special URLs.

On another note, Is it possible to write a grails filter that "acts" before the spring security filter is hit ? I want to be able to do some filtering before I forward requests to spring security. Writing a grails filter like above doesnt help. Spring security filter gets hit first if I access a protected resource and this filter doesn't get called.

Thanks