I discussed this on the DEV mailing list here:
And here's an example showing how this bug can be used to bypass security:
grails create-app sampleapp
grails install-plugin spring-security-core
grails s2-quickstart com.sampleapp User Role
grails create-controller com.sampleapp.secure
This URL correctly redirects to the default login page and content can't be viewed.
This URL does NOT redirect to login and secure content is viewable without logging in.