Controllers that are generated by scaffolding at run-time do not pay any attention to the allowedMethods, but controllers with allowedMethods explicitly set (even if the rest is scaffolded) do abide by the method restrictions.
1. Create a new app, add a Book domain class, and a scaffolded Book controller.
2. Run the app and go to /[newApp]/book/delete/5
2a. The expected behavior is a 405 error, since issuing a GET to the delete action is not allowed
2b. The observed behavior is that the browser is redirected to the list action and a message indicating that a Book with an id of 5 could not be found.
3. Generate the book controller
4. Go to /[myApp]/book/delete/5
4.a Observed behavior is a 405 error returned, which is expected.
Having the scaffolding not follow this makes the scaffolding much less useful, especially for applications that want to behave correctly (including REST applications)