Grails: How to protect gsp views with shiro? - grails

I am using shiro to protect my grails application, using the default setup as with
grails shiro-quick-start
and a custom user. So far, all controller actions are protected, but if I put in the URL to a GSP-File (say, index.gsp), I do not get a login prompt.
The default filter I use is
def filters = {
all(uri: "/**") {
before = {
accessControl()
}
}
}
but seemingly GSP-Files do not match this URI-Filter. What URI-Filter do I have to use? I am using grails 1.3.7 and shiro plugin 1.1.3

very interesting, but seems to be a grails problem, not a shiro one.
I didn't manage to secure /object/view.gsp pages through the filters mechanism - it seems to be based on controller/action and since there is no controller involved...
But I did find another solution. Add the following line to your UrlMappings.groovy file
"/$folder/${view}.gsp"(controller:'auth', action:'login')
this will send your .gsp files through a controller.

Related

redirect user from php url to grails page

I am using grails 2.X.
when user hits on http://www.abcdef.com/redir/abc.php?id=123, i want to redirect user to some other url mappings like http://www.abcdef.com/abcd.
I already used grails filter but can't get appropriate solution.
Can anyone tell me how to do so using grails?
Do we need Filters or some scripts to achieve this.
Thanks in advance.
This can be achieved in UrlMappings.groovy. This configuration should suit your needs:
"/$controller.$suffix" {
constraints {
suffix(matches: 'php')
}
}

Grails setting locale does not change language

I am using Grails 2.0.3 in my project. I would like to implement internationalization to my application. As far as I read from this documentation I understand Grails have an out box support for internationalization. However I would like to override browsers Accept-Header setting and would like to set users language preference.
First I've created a filter in order to catch requests and check the language preferences. But it did not help. In filter I can get localized messages but when page is rendered I am getting English page. Here is the code that I use for setting locale.
def locale = new Locale("es", "ES")
java.util.Locale.setDefault(locale)
Then I've created custom LocaleResolver and injected that in spring configuration as localeResolver. Again in filter I can see localized messages however in pages still no luck?
Is there a way to override or bypass browsers setting in Grails i18n support?
The default LocaleResolver of Grails is SessionLocaleResolver. If you want to always use es_ES you can change this to FixedLocaleResolver.
beans {
localeResolver(FixedLocaleResolver) {
locale = new Locale("es", "ES")
}
}
If you want to restrict to a set of locales, then you will need a filter, and use the SessionLocaleResolver#setLocale(HttpServletRequest request, HttpServletResponse response, Locale locale) method.

Grails without session

I noticed that grails applications, as most other java based web applications, always creates a session, even when it is not used.
Is it possible to set the JSESSIONID cookie only when needed, eg. when someone tries to log in?
The generation of a session cookie can be disabled by adding the following page directive:
<%# page session="false" %>
I'm not sure what version of grails was being used above, but I was running into a similar issue in a large application. My application was split between UI/gsp and other Controllers that served pure json/xml without a view. The UI portion was supposed to be the only part that used sessions, but the services were also returning JSessionId.
Because the application was large, in order to troubleshoot, I created new applications with grails 1.3.7 and 2.2.1, with a basic controller:
class FooController {
static defaultAction = "lookatme"
def lookatme = {render(view:'lookatme')}
def hallo = {render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
def somestate = {session.foo = "bar"; render(text:"<xml>some xml</xml>",contentType:"text/xml",encoding:"UTF-8")}
}
When I run this on tomcat, neither lookatme or hallo returns a JSessionId. The action somestate does. After going back through our code, we found places (some filters, for example) that were attempting to access session when they shouldn't.
If your code is returning a session via JSessionId cookies, and you don't think it should, ensure there is no code used within that action (or filters) which access session (or flash?).

Retrieving HTTP parameters in Grails

the request was sent from an HTML form, the request body contains the form data,how can i retrieve that data in my Grails application.Below is the URL from where i need to retrieve data.I'm a Rookie in Grails so please help me with this.
hxxp//localhost:8080/copypolicyNumber/loginaction.jsp?fname=Roger&lname=wallace&city=Des+Moines&pnum=123456&submit=Submit
As you just started with Grails, I suggest you look at the screencasts available in the Grails website, and also check the free e-book Getting Started with Grails (need registration).
Grails works with the params map for both GET and POST requests. Also, it uses an special url mapping that you need to be aware of.
So, assuming that you have a login controller with the action login and considering that you called the url: myapp/login/login?fname=Roger&lname=wallace&city=Des+Moines&pnum=123456
class LoginController {
def login() {
println params.fname //Roger
println params.lname //wallace
println params.city //Des Moines
println params.pnum //123456
}
}

Determine the url (or controller and action names) of a request which is unauthorized with Shiro Grails plugin

I would like to be able to log the requests that my app receives that are unauthorized. Because the Shiro plugin uses an HTTP redirect to send the user to auth/unauthorized the request object is a fresh one and I can't get the original URL; controller/action name; or request parameters from it.
Is there a way to determine either the original url, or the controller and action names (and request params if possible) inside the AuthController unauthorized action?
I am looking at http://plugins.grails.org/grails-shiro/tags/RELEASE_1_1_3/ShiroGrailsPlugin.groovy as a reference of the plugin source.
Details:
Grails 1.3.7
Shiro Grails plugin 1.1.3
I had the same problem... my solution is not perfect:
a browser sends the so called referer in one of the headers which you can get through
request?.getHeader('Referer')
But the referer is nothing you really can rely on -- but most of the browsers send it.
Another solution could be the filter: try to write the current url to another variable before you call accessControl() in ShiroSecurityFilters.groovy. You can get the current URL through request.forwardURI.
Update: just verified my last assumption - this seems the cleanest solution to me:
In ShiroSecurityFilters.groovy, replace
// Access control by convention.
accessControl()
with
// Access control by convention.
if (!accessControl()) {
session.deniedUrl = request.forwardURI
return false
}
which enables you to access the url as session.deniedUrl in your auth/unauthorized controller.

Resources