for some of our Grails-based applications we have to implement a quite complex set of access rules based on <security-constraints> in the web.xml. In order to configure these rules and to not leave any holes by mistake, I need to know what URLs are actually mapped and accessible in my application. As you know, resources in a Java servlet application are exposed by the following two aspects:
* Static resources in the root folders of the WAR file (except folders like WEB-INF and META-INF)
* Mapped servlets
So in principle I could have a look at the created WAR file for the folders and files and at the web.xml file for servlet-mappings. However, Grails works with wildcard mappings in web.xml file, which allows the high flexibility and convenience of using the UrlMappings configuration mechanism. This also makes it quite difficult to determine what URLs you have exposed and thus what URLs you have to protect. Correct me if I'm wrong, but in Grails there are many spots where URLs can be exposed:
* UrlMappings.groovy of the application
* Custom UrlMappings coming from plugins
* Plugin descriptors (doWithWebDescriptor)
* Serlvets coming from plugins (usually added via doWithWebDescriptor)
* Events from plugins (modifying the web.xml)
* Configuration coming from plugins (dynamically adding to dispatcher servlets)
While many of these results end up in the final web.xml, we can't really be sure what goes on in dispatcher servlets that map to wildcard URLs. So my question here is if there is a possibility, via logging or even programmatically, to see what URL patterns are finally exposed?
It is clear that this is not a Grails-specific problem, because other frameworks make heavy use of dispatcher servlet and declarative configuration of URL patterns as well, but maybe someone else already did some investigations in this direction using Grails and has some useful remarks?
Thanks in advance!
P.S.: For some background information, we're using a custom SAML/SSO based login mechanism that also involves a server-side authentication module (on Weblogic). We need to use <security-constraints> in our web.xml to achieve a certain authentication and protectiong behaviour. We're currently running into problems where the Java servlet specification is simply not flexible enough, i.e. once you protected a resource like /* in a security-constraint, you can't simply 'unprotect' sub-URLs, or give them completely different security-roles. Using a custom servlet of filter is also not really an option, since we have to depend on a delcarative configuration in the web.xml file, which means in principle white-listing URL patterns :(.