Grails Spring Security (get current user)

In practical terms, I don't see much difference between these two. I would be inclined to use

def user = springSecurityService.currentUser

Because it's slightly shorter that the other form, it's what the plugin docs recommend, and there might be some additional caching of the user within plugin (beyond the caching already provided by Hibernate).

Well, there is a slight difference between the two. The documentation points this out.

currentUser will always return the domain instance of the currently logged in user.

principal on the other hand, retrieves the currently logged in user's Principal. If authenticated, the principal will be a grails.plugin.springsecurity.userdetails.GrailsUser, unless you have created a custom UserDetailsService, in which case it will be whatever implementation of UserDetails you use there.

If not authenticated and the AnonymousAuthenticationFilter is active (true by default) then a standard org.springframework.security.core.userdetails.User is used.

Hope that helps clear things up.