views:

449

answers:

3

I'm trying to build a control logic that depends on the current gsp page to call an action, is there a tag or a session method that i can use to identify the current gsp page

I want to restrict access to all GSPs except singup and login, so if a user open any other gsp he will be redirected to signup page and he will also be able to navigate to the login page.

The logic i am trying to implement is like this if current_Page is login.gsp or singup.gsp then do nothing else redirect to signup //where user can navigate to login page with no problems too

And i want to add this logic in the main layout so it gets implemented across all the application domain.

I'm wondering if there is an alternative way of doing this using RequestmapController or UrlMappings?

Anyone with experience in springMVC will be able to help as Grails is built on top SpringMVC, which in turn is built on top of the standard servlet framework!

Note: I'm using Acegi Plugin

Remark: How can the application be SEO-friendly(i.e. Google indexing) with this type of security mechanism implemented?

+1  A: 

You need the Spring security plugin. The best way to do this is not within your GSPs but using a filter on all the web requests. That'll give you the Requestmaps and UrlMappings GrailsNewbie mentioned.

John Stoneham
Hi, I'm using the acegi plugin, how can I implement that filter so if the user is not signed-in he will only be able to browser to the signup.gsp and login.gsp?
tranced_UT3
+3  A: 

You should read this: link text

And the tutorial using ACEGI plugin: link text

The latter is the way I would go. It allows you to setup roles and secure "pages" and URLs by role. It also includes a way to create users and assign them to roles.

To install the ACEGI grails plugin, do a: grails install-plugin acegi

tegbains
I am already using acegi!!! I just don't know how to make a filter that can do the job right!
tranced_UT3
What I would do is make your roles for the levels of access you want, and then make Requestmap entries for ALL of your URLs, EXCEPT for your registration and login controllers (ACEGI provides both features as optional controllers/views). So if you if you apply a Requestmap to say a controller called TosecureController, it should have a URL of /tosecure in your grails app. In the Requestmap create one for /tosecure/** and it will be secured by the login ACEGI controller/view (I'm paraphrasing)
tegbains
Easy way - make a general requestmap that matches EVERYTHING and have it require the 'user' role. Then, the things you want to be accessible to anonymous, override for them.
John Stoneham
+3  A: 

Edit: Sorry, I misunderstood your question. I thought you were looking for an alternative to Requestmaps. That is why I originally suggested securing the controllers with annotations.

If you want to use Requestmaps you could do the following:

  1. Create a new Requestmap that looks like this:
    URL pattern = /login/**
    Role = IS_AUTHENTICATED_ANONYMOUSLY

  2. To restrict access to the rest of the site create another requestmap entry which matches all the urls:
    URL pattern = /*/**
    Role = ROLE_USER (you could use any other role you like)

IS_AUTHENTICATED_ANONYMOUSLY means that anyone can access the matched URLs.The first rule is more specific and therefore should overwrite the second and more general rule.

You can look at AcegiSecurity Plugin - Securing URLs for more information.

Regarding the site's SEO. AFAIK search engines cannot access sites that need authentication. That is why sites like Experts Exchange use sly tricks to get indexed by Google.

You could choose to give anonymous users read access while requiring a login for writing (like SO does). This would allow your site to be indexed by search engine bots.

I hope this helps!

Heinrich Filter