2

Could anyone advise a feasible solution to prevent direct access to *.gsp pages on Grails?

After reviewing intercepting '/**.gsp', I found it is impossible to use that as it not only filters out direct access, but also the pages rendering from controllers, etc.

I tried to setup the following in UrlMapping.groovy, even though I can prevent the *.gsp direct access, but I also make a mess to the navigation of the pages; all the links seem to go to home page then.

    "/**.gsp" {
isEligible = {
    System.err.println("ALL PARAMS: " + params)
   request.requestURL.toString().endsWith(".gsp")
}
controller = {
    if (request.requestURL.toString().endsWith(".gsp")) {
        "public"
    } else {
        "*"
    }
}
action = {
    if (request.requestURL.toString().endsWith(".gsp")) {
        "home"
    } else {
        "*"
    }
}
}

Once I thought about setup filter like org.springframework.web.filter.OncePerRequestFilter, but not quite sure how to define it probably as Grails tends to generate the web.xml filters section by itself.

Any thoughts?

Thanks a lot! tom

Wim Coenen
  • 66,094
  • 13
  • 157
  • 251
tom.au
  • 21
  • 1
  • 3
  • 1
    Just a thought on this, have you tested to confirm you do have direct access to it in a testing and production environment? I have a feeling Grails might only allow direct access when your environment is set to Development. – Melv Mar 06 '11 at 23:35
  • very interesting problem. I never notice it, but it happens to me even in production. Though the page will very like return error, since it doesn't have the information from the controller. – Hoàng Long Mar 07 '11 at 07:08
  • I've just finished running in the production mode, same problem exists; anyway, thanks for your hints! I just wonder how to setup some kinds of surrogate in my sample code to prevent the matching of those non-direct-access; you see, I tried 'isEligible', but it doesn't work. – tom.au Mar 07 '11 at 10:45

4 Answers4

1

unfortunately I did not find a solution with UrlMappings. here is a solution which is little bit ugly but if you use the same layout (for example main.gsp) on all pages you could add this lines to the layout (main.gsp).

    <%  if (request.requestURL.toString().endsWith(".gsp")) {
       response.sendRedirect("${request.contextPath}/")
    } %>

this way if the user tries to access the gsp page direct he gets redirected to the home page.

maybe not the best solution but did work for me so far.

cheers shifty

mjspier
  • 6,386
  • 5
  • 33
  • 43
  • that works! thanks for your help :) But, if for pages which doesn't refer to template main.gsp, they still have the same problem. Maybe I should take awhile for reading the url mapping mechanism in Grails. Thanks anyway! – tom.au Mar 08 '11 at 05:46
  • I just tested this one with the app-engine plugin and it gives me a redirect loop exception. :( – mjspier Mar 08 '11 at 09:05
1

Add these to UrlMappings:

"/**.gsp" {
    controller = {
        if(request.requestURL.toString().endsWith(".gsp")) {
            "forbidden"
        } else params.controller
    }
}

And create a ForbiddenController and an index.gsp with "Never think of accessing GSPs directly dude." as its content.

Cheers.

abatishchev
  • 98,240
  • 88
  • 296
  • 433
S.C.
  • 11
  • 3
0

according to the grails FAQ the "/**.gsp" configuration in the UrlMapping.groovy should work.

couldn't try it out yet.

How did you add the links to the page ? Are the links also broken when you use the link tag ?

<g:link controller="book" action="list">Book List</g:link>
mjspier
  • 6,386
  • 5
  • 33
  • 43
  • Sorry, I am not sure I understand your question... if setting up '/**.gsp' directly to filtering and routing to 'index' view, the page even can't be open as dead looping on directing 'index' view. – tom.au Mar 07 '11 at 12:23
  • actually, I think the question is about how we STOP direct access by link like `http://MyApp/book/list.gsp` – Hoàng Long Mar 07 '11 at 15:05
  • maybe my question was not clear enough :P But I tried now the "/**.gsp" in the UrlMapping.groovy and this does not work properly. Still searching for a solution .... – mjspier Mar 07 '11 at 15:45
0

What about writing a filter that will be executed on each request ?

Houcem Berrayana
  • 3,052
  • 22
  • 40
  • I shall try this also as using trick on template couldn't solve the problem completely; – tom.au Mar 10 '11 at 04:16
  • I couldn't find a solution for using filters: while definte filter as excludeDirectAccess(uri: '/**') { ... request.requestURL.toString().endsWith(".gsp")...} I found the expression couldn't be true anyway; the request.requestURL is just a strange url which wasn't the input one on address bar. This is so annoying... :( – tom.au Mar 10 '11 at 08:12
  • I'll try it later later and I'll let you know the result. – Houcem Berrayana Mar 10 '11 at 13:38
  • Thanks! I found that request.forwardURI doesn't work too. It just return something like '.../xxx.js' which indicating browser was trying to request javascript resource; however, I don't see anything related to the original direct access URL, etc. Then, I also print out all the request.attributes content, nothing with direct access URL too. :( – tom.au Mar 11 '11 at 05:10