I'm relatively new to Spring, but very new to Spring Security and Grails. To be brief, I know its recommended to not allow .jsp files to be servable, you should toss them in WEB-INF, and set up your controllers to pull them from the right place.
How would I go about doing this in Grails? It seems that I would destroy the idea of "convention over configuration" by tossing gsp's into WEB-INF and then writing logic into all my controllers (if that's even immediately possible...) It seems I would have to alter some basic Grails configurations.
Any ideas?
OK, I haven't seen a complete answer for this here (or elsewhere one StackOverflow) that provides a full valid result, so here's what I've come up with:
First, create a new controller:
grails create-controller gspForbidden
Open this up, and add this to the index action:
index = {
response.status = 404
}
Then, open grails-app/conf/UrlMappings.groovy and add this under the static mappings closure:
"/grails-app/**.gsp"(controller:"gspForbidden")
This will redirect any attempts to view a GSP directly to the gspForbidden controller. That controller, in turn, simply renders a 404 - a file not found response. The best thing about this is that it's completely hidden - there's nothing showing that the GS path was correct, so there's less chance of exposing something important about the application design.
I tried repeatedly to figure out how to use UrlMappings to show a 404 without the controller, but I had no success. If you can think of a way, please let me know. I'd much rather have this happen without any explicit controllers.
Slight correction to earlier post:
Just adhering to the convention in Grails doesn't prevent someone who guesses where a gsp lives from hitting it directly (I just tried it, it works).
From Spring Security Plugin Documentation:
package com.testapp
import grails.plugins.springsecurity.Secured
class SecureController {
#Secured(['ROLE_ADMIN'])
def index = {
render 'Secure access only'
}
}
you can secure your GSP pages as the example above. Secured annotation will provide access only to a user if they have the admin rights.
for more information , refer to :
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/
tutorials are nice as a start.
You actually don't need to worry about this in Grails. If you follow the conventions of using views and controllers it will handle all the details about making sure the GSP pages aren't directly accessible.
As far as integration with Spring Security is concerned, again if you follow one of the recommended patterns (URL security or annotation within your controllers) you should be fine.
Related
I seek some guidedence here ... ( I'm not sure if this is the best title )
At the moment I prepend a "server name" to the url like this:
server10.example.com
This works fine, except that I need to handle all the subdomains on the IIS and I'm not sure google are happy about jumping around from sub to sub to sub, when it seems the links to the other servers.
I'm kind a hoping for a nice way to archive this wioth asp.net mvc.
Most pages are related to a "server" ... there are however a few info pages, contact, home that dont really need a valid "server" name ... but could just be "na" for not available, but the name need to be maintained, if there is already a selected server, when a user are keeps browsing the site. This needs to be as transparent as possible when I need to create the links to the diffenrent pages.
I could extend the Html Action() extensien to automatically add the selected "server" from the previusly request to the page.
In the format:
/{serverParameter}/{controller}/{action}/{parameterInfo}
And if no server is selected, just add "na" as the {server} placeholder.
I'm not sure if more information is needed, but please let me know if ...
I tired of extracting the selected server from the domain part and the other way also seems better, I just can't think of a good way to structure this ...
Updated
90% of all the pages are about a server that the user select at some point. Could be server10, server9, server20 ... just a name. I want to maintain that information across all pages, after the users has selected it or else I just want it to be f.ex: "empty".
I mostly looking for an easy way of doing this or an alternative ... atm I'm prepending the serverParamter to the url so it ends up being: "serverParameter.example.com".
I want to end up with something like
http://example.com/{server}/{controller}/{action}
instread of
http://{server}.example.com/{controller}/{action}
If I understand your question correctly, you just wish to group different collections of content together above the controller/action level. If that's the case, have you considered using ASP.NET MVC areas?
Just right-click on your project, and choose Add -> Area.... Give it a name (what you're calling "server"), and then you can add content, your own controllers, actions, etc. Under this area. You will automatically be able to access it via /AreaName/Controller/Action/etc.
I went with the already impemented routing in ASP.NET MVC.
{server}/{controller}/{action}
When creating the links it takes the set value for {server} and places the value when generating URL's, so I only need to supply controller and action in the #Html.Action helper method ... this could not have been more easy.
I'm not sure why I did not think about this. One just gotta love routing.
I've got a need where each user can customize their own page on a replicated site. In grails it seems the most straightforward way to do this is:
somedomain.com/someController/JohnDoe
spelling out a controller, except this forces folks to type in a longer domain name, versus something like
somedomain.com/JohnDoe
Using sub-domains may be another approach, however they would need to be created automatically, i.e. when someone joins.
Can you please clarify the main ways Grails supports this kind of requirement/need (replicated site), and some of the pros/cons of each?
Thanks, Ray
Edit: Per Tomasz's edit below, the simplest course of action isn't clear. If you have insights on this please do share.
It is called UrlMappings in grails. You need to declare:
"/$username?" {
controller = 'someController'
action = 'user'
}
It redirects to someController, action user and optional variable called username.
This solution has one catch. Every one level path you visit passes this rule and takes you to someController. You cannot go to somedomain.com/books because it passes rule above and it follows you to someController#user with params['username']='books'. Then you can't use default actions. But if you decide that all your other paths have at least one slash, e.g. /books/list then you can follow this solution
Edit: I was wrong. It doesn't work as I've expected. I thought that UrlMappings are applied in order they are defined. That's not true, as explained here. Even worse - it's not documented (GRAILS-6246). Most specific explanation comes from Peter Ledbrook :
It uses a specificity algorithm, so the most specific match should apply
You must experiment then. I suggest you use safest solution and stick with /user/username solution.
i have a uri such as someController/someAction?param1=aa¶m2=bb
is there some method of grails can extract controller name and action name from this uri.
or shiro has any method to detect this uri is permitted?
i have a domain Menu(name,url), and now want to get the menu list which is permitted for current user.
url such as /auth/login(may be mapping as user:login), /user/login
so 2 days ago i ask this question.
now i change the menu to (name,controller,action,param),and filter the menulist like this:
def subject = SecurityUtils.subject;
menuList.each{
if(it.permission){
def perm = shiroPermissionResolver.resolvePermission("${it.permission.controller}:${it.permission.action}")
def isPermitted = subject.isPermitted(perm)
println "$isPermitted -> ${it.permission.controller}:${it.permission.action}"
}
}
sorry for my poor english,and thanks for reply.
btw,here is another question of how to cache shiro:
how to use cache permissions in grails shiro
To proflux:
so what do u think is the better way to store menulist?
cause:
it need to show different menu to user due to their permissions.
sometime we update a webapp, but want to show menu to user later.
so we only need to change such as a menu.visible. (better than change hard code cfg or source).
we areusing extjs to show the menu(so nav plugin cant use).
Shiro uses the convention of $controller:$action for permissions. You have two options:
Use the Shiro Tags
Use the Shiro API directly
In the first case, in your GSP you can add something like:
<shiro:hasPermission permission="someController:someAction">
<g:link...>
</shiro:hasPermission>
<shiro:lacksPermission permission="someController:someAction">
No link
</shiro:lacksPermission>
Alternatively, you can use the <g:if...> tag and use the
SecurityUtils.subject.isPermitted("someController:someAction")
method to directly check if the user has the necessary permission.
For more info, check out the Grails Shiro Tag Library Source and the Shiro API docs.
I'm trying to use Django's built-in admin docs feature to make writing templates easier. Supposedly if you go to /admin/docs/views you should get documentation for every view in your application. I see a list, but none of the links work:
-) Any view listed that's related to my application just goes to a blank page with nothing but the name of the view as a header.
-) The views related to admin all give me Django 404 errors when I click on them, except those that are related to the docs itself. The docs-related links also give me blank pages. (i.e. clicking /admin/doc/filters gives a blank page with nothing but "django.contrib.admindocs.views.template_filter_index" as a title, but clicking /admin/auth/user gives me a Django 404 error
The 404 errors lead me to suspect my URLconf is wrong, but all I did was uncomment the built-in lines. The relevant sections read:
# Uncomment the admin/doc line below to enable admin documentation:
(r'^admin/doc/', include('django.contrib.admindocs.urls')),
# Uncomment the next line to enable the admin:
(r'^admin/', include(admin.site.urls)),
And I have no idea what to make of the blank pages. Do I need to provide some extra meta information somewhere, like I know you need to provide the get_absolute_url on models for some of the admin features to work right?
Even if no one knows the answer, any documentation on the admin docs feature would be useful -- I've been Google all over (and searching StackOverflow) and this feature seems very little-documented.
Thanks!
You need to add 'django.contrib.admindocs' to your INSTALLED_APPS in settings.py. It should already be there and commented out. Though it would be nice if the comment in urls.py mentioned it ... Source.
I've never looked at the views admin doc pages before -- I've never had a need to. B4ut you're right, they seem to be -- lacking in potential features.
If you give your views functions docstrings (documentation), that content will appear on your "blank pages".
Most -- no, all -- of the admin sites views are actually decorated member methods of admin.sites.AdminSite. I looked around, and a view of mine which uses a decorator also suffers from the 404.
The view responsible for view details starts:
def view_detail(request, view):
if not utils.docutils_is_available:
return missing_docutils_page(request)
mod, func = urlresolvers.get_mod_func(view)
try:
view_func = getattr(import_module(mod), func)
except (ImportError, AttributeError):
raise Http404
title, body, metadata = utils.parse_docstring(view_func.__doc__)
...
You can see it tries to import the view to get info from it; if the view is actually a decorator (which probably used an internal function to wrap the real view), it won't be able to import it. eg, if you do from django.contrib.admin.sites import index in a django shell, you'll get an ImportError, whereas django.contrib.admin.site.index (note the singular site) is a:
<bound method AdminSite.index of <django.contrib.admin.sites.AdminSite object at 0x...>>
Further, that last line in my snippet seems to indicate that there's a capability for finer control over what shows up on those pages, if you care to figure out the template that util.parse_docstring uses.
I've got a very old php application (1999) that has been worked on during the last ten years. At this point the app starts to show it's age so i'm in te progress of migrating to a "new" framework, symfony 1.4. But since the app is very large, i cannot do this at once. So i'm planning to wrap the old app into the new symfony app, and convert functionality by functionality.
First step in this transition was making the old app appear in the new symfony app. So, i've created the "frontend" application, added a "legacy" module, made it the default homepage, and i've put everyhting i had in my index.php (all pages went through this index.php) in the indexSuccess.php file for the indexAction. I've added the code in the "view" because there are also functions in it and changing that setup would take me more time than i want to spend on the old app.
Unfortunately i've now got an issue with global variables. Let me give you an example (i would have never made this register function like this, but it is, so please look past that.
$session = new ps_session;
$demo = "this is a demo variable";
$session->register('demo');
In ps_session i have this method
public function register($var) {
global $$var;
$_SESSION [$var] = $$var;
}
So it should put the content of $demo in a session var named "demo". Clever right :) Anyway, var_dumping shows me the that $$var is "null" and $demo is filled if i var_dump before and after calling the function. Exact same code without symfony and it returns the correct content.
What am i missing? The global call is spread out in all area's of this massive app so i really don't want to switch to something else, so i'm hoping for a quick fix :)
Maybe relevant, the all code except the index.php content are in frontend/lib/legacy/ folder, the index is in frontend/modules/legacy/ (if there is some scope issue i'm missing)
I think that since your indexSuccess.php file is included inside a function (more precisely, here : lib/vendor/symfony/lib/view/sfPHPView.class.php:185 ), this can't work, because $demo is no longer in the global scope. I don't see any easy workaround for this...
I think you should create a legacy folder in /web , and use routing to redirect to it if the url corresponds to something not migrated yet.
I went with putting the entire old site under web/legacy and redirecting from the default index action to the legacy folder. Most of the url's were made by mod_rewrite so easily fixed. The other url's went through a function so fixing was ok, and only a few were hardcoded. To make it totally transparant, i only need to redo the homepage to start from, so i don't have a visible /legacy/ in my url. Thanks for the help!
I agree with greg0ire that this is an issue with the way sfPHPView includes indexSuccess.
Could you simply require index.php in the default/index action?