开发者

Securing gsp files

问答 作者:

I'm relatively new to Spring, but very new to Spring Security and Grails. To be brief, I know its recommended to not allow .jsp files to be servable, you should toss them in WEB-INF, and set up your controllers to pull them from the right place.

How would I go about doing this in G开发者_开发问答rails? It seems that I would destroy the idea of "convention over configuration" by tossing gsp's into WEB-INF and then writing logic into all my controllers (if that's even immediately possible...) It seems I would have to alter some basic Grails configurations.

Any ideas?

OK, I haven't seen a complete answer for this here (or elsewhere one StackOverflow) that provides a full valid result, so here's what I've come up with:

First, create a new controller:

grails create-controller gspForbidden

Open this up, and add this to the index action:

index = {
    response.status = 404
}

Then, open grails-app/conf/UrlMappings.groovy and add this under the static mappings closure:

"/grails-app/**.gsp"(controller:"gspForbidden")

This will redirect any attempts to view a GSP directly to the gspForbidden controller. That controller, in turn, simply renders a 404 - a file not found response. The best thing about this is that it's completely hidden - there's nothing showing that the GS path was correct, so there's less chance of exposing something important about the application design.

I tried repeatedly to figure out how to use UrlMappings to show a 404 without the controller, but I had no success. If you can think of a way, please let me know. I'd much rather have this happen without any explicit controllers.

Slight correction to earlier post:

Just adhering to the convention in Grails doesn't prevent someone who guesses where a gsp lives from hitting it directly (I just tried it, it works).

From Spring Security Plugin Documentation:

package com.testapp
import grails.plugins.springsecurity.Secured

class SecureController {

   @Secured(['ROLE_ADMIN'])
   def index = {
      render 'Secure access only'
   }
}

you can secure your GSP pages as the example above. Secured annotation will provide access only to a user if they have the admin rights.

for more information , refer to :

http://grails-plugins.github.com/grails-spring-security-core/docs/manual/

tutorials are nice as a start.

You actually don't need to worry about this in Grails. If you follow the conventions of using views and controllers it will handle all the details about making sure the GSP pages aren't directly accessible.

As far as integration with Spring Security is concerned, again if you follow one of the recommended patterns (URL security or annotation within your controllers) you should be fine.

继续阅读:grailsgspsecurityspring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9