views:

150

answers:

2

I have an application where I am using spring security along with grails melody. I am planning to run grails melody in production environment, but don't want visitors to have access to it. How should I achieve that ? I tried creating a filter in grails (just showing the sample of what I am trying, not the actual code)-

def filters = {
    allURIs(uri:'/**') {
        before = {
            //...
            if(request.forwardURI.indexOf("admin") != -1 ||
        request.forwardURI.indexOf("monitoring") != -1) {
                response.sendError 404
                return false 
            }
        }
    }
}

But this doesnt work as the request for "monitoring" doesnt hit this filter. I dont even want the user to know that such a URL exists, so I want to check in the filter that if "monitoring" is the URL, I show the 404 error page. Thats also the reason why I dont want to protect this URL with spring security as it will show "access denied" page.

Basically I want the URL to exist but they should be invisible to users. I want the access to be open to only certain IP addresses for these special URLs.

On another note, Is it possible to write a grails filter that "acts" before the spring security filter is hit ? I want to be able to do some filtering before I forward requests to spring security. Writing a grails filter like above doesnt help. Spring security filter gets hit first if I access a protected resource and this filter doesn't get called.

Thanks

+2  A: 

Grails filters are wrappers around Spring Interceptors, so they fire after "real" servlet filters like those used by Spring Security. If you want something to fire before Spring Security you'll need to register a filter in web.xml, or possibly in the plugin's filter chain.

This is one of the motivations for the IP Address filter. We wanted an admin section that was available to logged-in admins but also only available if accessed from the LAN or VPN. LAN and VPN IP addresses all started with 10. so we added a rule for

'/admin/**': '10.**'

The filter sends a 404 response to hide the existence of the resources.

See http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/guide/10.%20Extending%20and%20configuring%20the%20plugin.html#10.8.%20IP%20Address%20Restrictions for the docs on this.

Burt Beckwith
Thanks Burt! I will go for the "real" filter solution.
batmannavneet
it seems now that you should see:http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/guide/18%20IP%20Address%20Restrictions.html
evernat
A: 

Burt's answer is a good one.

Another answer can be to use javamelody included security options: http://code.google.com/p/javamelody/wiki/UserGuide#15._Security

For example, you can add the following parameter which is a regexp in your GrailsMelodyConfig.groovy file: javamelody.'allowed-addr-pattern' = '127.0.0.1'

evernat