Grails without session - grails

I noticed that grails applications, as most other java based web applications, always creates a session, even when it is not used.
Is it possible to set the JSESSIONID cookie only when needed, eg. when someone tries to log in?

The generation of a session cookie can be disabled by adding the following page directive:
<%# page session="false" %>

I'm not sure what version of grails was being used above, but I was running into a similar issue in a large application. My application was split between UI/gsp and other Controllers that served pure json/xml without a view. The UI portion was supposed to be the only part that used sessions, but the services were also returning JSessionId.
Because the application was large, in order to troubleshoot, I created new applications with grails 1.3.7 and 2.2.1, with a basic controller:
class FooController {
static defaultAction = "lookatme"
def lookatme = {render(view:'lookatme')}
def hallo = {render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
def somestate = {session.foo = "bar"; render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
}
When I run this on tomcat, neither lookatme or hallo returns a JSessionId. The action somestate does. After going back through our code, we found places (some filters, for example) that were attempting to access session when they shouldn't.
If your code is returning a session via JSessionId cookies, and you don't think it should, ensure there is no code used within that action (or filters) which access session (or flash?).

Related

Web page without real files corresponding to URLs?

geniuses!
I need to make a demo page acting like DBpedia (http://dbpedia.org).
Two pages from different URLs,
http://dbpedia.org/page/Barack_Obama and
http://dbpedia.org/page/Lionel_Messi,
show different content.
I cannot really think DBpedia has million pages for all individual entities (E.g., Barack Obama and Lionel Messi).
How can I handle such URL request?
I know a bit about GET request but example URLs above do not seem like to use GET method.
Thank you in advance!
ps. Please teach me the process. Something like:
1. A user enters URL on a browser.
2. ...
When visiting http://dbpedia.org/page/Barack_Obama, your browser does send a GET request, e.g.:
GET /page/Barack_Obama HTTP/1.1
Host: dbpedia.org
The server (dbpedia.org) receives this GET request and then decides what to do. From the outside, you can’t know (for sure) how the server does something. The two common cases are:
Static web page: a file gets served that exists somewhere on the server. The URL path is often mapped to the server’s file system, but that’s not necessarily the case.
Dynamic web page: a file gets served that is generated on the fly. The content often comes from a database, but that’s not necessarily the case.
After trying some solutions, I'm now using Spring Web MVC framework.
Maybe Dynamic web page solution mentioned in unor's answer.
#Controller
public class SimpleDisplayController {
#RequestMapping("/page/{symbolicName:[!-z]+}")
public String displayEntity(HttpServletRequest hsr, Model model) {
String reqPath = (String) hsr.getAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE);
String entityLb = reqPath.substring(reqPath.lastIndexOf("/"));
model.addAttribute("label", entityLb);
return "entity";
}
}
I could get request using regex as you can see at the 4th line: #RequestMapping("/page/{symbolicName:[!-z]+}").
The function above returns the string 'entity' which is the name of a HTML file serving as a template.
The following code is a body part of the example HTML template.
<body>
<p th:text="'About entity ' + ${label} + '...'" />
</body>
Since I add an attribute with the key 'label' in the controller above, the template can process ${label}.
In the example HTML template, th:text is a snytax of Thymeleaf (Java library to make an XML/XHTML/HTML5 template) which is supported by Spring.

With the Orbeon Proxy Portlet is there a way to enable form selection via Inter Portlet Communication?

The Orbeon Proxy Portlet allows form selection via URL parameters. It would be preferable if the parameters were not included in the URL. I thought I might be able to use a public render parameter as described in the Liferay documentation but it looks like the proxy portlet isn't configured that way.
Looking at OrbeonProxyPortlet.scala I see this method is used to retrieve the URL parameters:
private def portalQuery(request: PortletRequest) =
collectByErasedType[String](request.getAttribute("javax.servlet.forward.query_string")) map decodeSimpleQuery getOrElse Nil
Could this method be modified to combine that map with the map returned by PorletRenderRequest.getParameterMap() or PorletRenderRequest.getPublicParameterMap()?
Or perhaps there could be another init-param like enable-url-parameters, for example, enable-inter-portlet-parameters?
This would also require the following configuration in the portlet.xml:
<supported-public-render-parameter>orbeon-app</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-form</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-document</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-page</supported-public-render-parameter>
As you noticed, currently this is not implemented, and I don't think there is a way without modifying the code of OrbeonProxyPortlet.scala. But yes, it would make sense to make this work, and in fact the option was considered in issue #1850.

Grails: Don't Run Filters on a Forward (without using flash variables)

I'm writing a plugin that keeps track of the pages that a user has visited in an application (for the purpose of a back button). It does this by having a filter that runs for every controller/action and keeps a list of visited pages. Everything is working great, except that when used in applications that use forwards, the plugin records two entries for the one page since Grails filters run on every request, even when that request is just a forward (ie: internal redirect).
Since this is a plugin (that has to be application agnostic) I can't simply set a flash variable whenever a forward is used to check if a forward has occurred. Is there any way to determine if a forward has occurred in a filter? I'm exploring the different values in the request variable and how they differ between a normal request and a forward, but things can get quite confusing. Any help is highly appreciated.
P.S. The main difference I noticed so far is that the request.forwardURI and request.requestURI differ for a forward, however, the requestURI is in a special format that I currently don't know how to convert to match the forwardURI.
For example for a normal request:
request.forwardURI = '/short-url' (as set in URLMappings) or '/controller/action
request.requestURI = '/grails/controller/action.dispatch'
For a forward:
request.forwardURI = '/short-url' (as set in URLMappings) or '/controller/action'
request.requestURI = '/grails/forwardedController/forwardedAction.dispatch'

grails cache headers plugin for controllers

This question is not an implementation specific question of the grails plugin, but more of a question illustrated using grails.
Grails a plugin for writing cache related headers (http://grails.org/plugin/cache-headers) and they show an example that looks like
class ContentController
def show = {
cache shared:true, validFor: 3600 // 1hr on content
render(....)
}
}
Since the grails request to get here would look something like http://myapp/content/show, would a browser even try to cache this since it's not a specific resource with a filename (e.g. it's not show.gsp, even though that is what is being used to generate the html)?
What's the purpose of specifying a cache time on dynamic content that won't be cached by the browser (assuming I'm understanding how the browser will cache it based on my statement above)? When might this be useful? Might this be useful in an ajax environment where the user is not typing the full url but rather we're dynamically updating part of a page?
Browser caches URL, not a filename (because HTTP is not a filesystem). I thinks it's the answer for both questions, right?
See:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13
http://www.mnot.net/cache_docs/
https://developers.google.com/speed/docs/best-practices/caching

Grails: How to protect gsp views with shiro?

I am using shiro to protect my grails application, using the default setup as with
grails shiro-quick-start
and a custom user. So far, all controller actions are protected, but if I put in the URL to a GSP-File (say, index.gsp), I do not get a login prompt.
The default filter I use is
def filters = {
all(uri: "/**") {
before = {
accessControl()
}
}
}
but seemingly GSP-Files do not match this URI-Filter. What URI-Filter do I have to use? I am using grails 1.3.7 and shiro plugin 1.1.3
very interesting, but seems to be a grails problem, not a shiro one.
I didn't manage to secure /object/view.gsp pages through the filters mechanism - it seems to be based on controller/action and since there is no controller involved...
But I did find another solution. Add the following line to your UrlMappings.groovy file
"/$folder/${view}.gsp"(controller:'auth', action:'login')
this will send your .gsp files through a controller.

Resources