protecting grails melody with grails filter
I have an application where I am using spring security along with grails melody. I am planning to run grails melody in production environment, but don't want visitors to have access to it. How should I achieve that ? I tried creating a filter in grails (just showing the sample of what I am trying, not the actual code)-
def filters = {
allURIs(开发者_运维百科uri:'/**') {
before = {
//...
if(request.forwardURI.indexOf("admin") != -1 ||
request.forwardURI.indexOf("monitoring") != -1) {
response.sendError 404
return false
}
}
}
}
But this doesnt work as the request for "monitoring" doesnt hit this filter. I dont even want the user to know that such a URL exists, so I want to check in the filter that if "monitoring" is the URL, I show the 404 error page. Thats also the reason why I dont want to protect this URL with spring security as it will show "access denied" page.
Basically I want the URL to exist but they should be invisible to users. I want the access to be open to only certain IP addresses for these special URLs.
On another note, Is it possible to write a grails filter that "acts" before the spring security filter is hit ? I want to be able to do some filtering before I forward requests to spring security. Writing a grails filter like above doesnt help. Spring security filter gets hit first if I access a protected resource and this filter doesn't get called.
Thanks
Grails filters are wrappers around Spring Interceptors, so they fire after "real" servlet filters like those used by Spring Security. If you want something to fire before Spring Security you'll need to register a filter in web.xml, or possibly in the plugin's filter chain.
This is one of the motivations for the IP Address filter. We wanted an admin section that was available to logged-in admins but also only available if accessed from the LAN or VPN. LAN and VPN IP addresses all started with 10. so we added a rule for
'/admin/**': '10.**'
The filter sends a 404 response to hide the existence of the resources.
See http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/guide/10.%20Extending%20and%20configuring%20the%20plugin.html#10.8.%20IP%20Address%20Restrictions for the docs on this.
I have been looking at securing Grails Melody (e.g. /monitoring) using Spring Security as well. I have done it now using Apache HTTP Basic authentication (we use apache to proxy to tomcat), but this is not ideal as I am looking to deploy an application to CloudFoundry.
Could this, for example, easily be done using the Grails WebXmlConfig plugin as well? I see Burt has contributed to -at least- the documentation page? I am not sure as the plugin is not really documented...
Burt's answer is a good one.
Another answer can be to use javamelody included security options: http://code.google.com/p/javamelody/wiki/UserGuide#15._Security
For example, you can add the following parameter which is a regexp in your GrailsMelodyConfig.groovy file: javamelody.'allowed-addr-pattern' = '127.0.0.1'
Here's what I did in a similar scenario (JavaMelody 1.29.0 and Spring Security 3.0.5). I wanted to restrict access to the Melody reports to admin users.
Spring security config:
<http auto-config="true" use-expressions="true">
...
<intercept-url pattern="/monitoring/**" access="hasRole('ROLE_ADMIN')" />
...
</http>
web.xml config:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The key point is to make sure, that the monitoring-filter is defined after the Spring Security filter chain.
加载中,请稍侯......
精彩评论