securing app using url patterns

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

securing app using url patterns

prom-2
Hi,
I'm trying to secure my grails app using url patterns (acegi plugin).
/user/list and /user/show are accessible by anonymous users,
/user/create, /user/delete and /user/edit are only accessible by admins.
Everything is working so far.

No I'm running into trouble:
Unfortunately, it is possible to invoke actions on the controller without using the URLs above - e.g. in the scaffolded code of the show-view there is a link to the delete action:
<input type="submit" name="_action_Delete" value="Delete" />
I don't know how to prevent users from invoking delete/... methods this way.

Any ideas?

Thanks in advance,
Prom
Reply | Threaded
Open this post in threaded view
|

Re: securing app using url patterns

Marc Palmer Local

On 20 Jun 2007, at 11:33, Prom wrote:

>
> Hi,
> I'm trying to secure my grails app using url patterns (acegi plugin).
> /user/list and /user/show are accessible by anonymous users,
> /user/create, /user/delete and /user/edit are only accessible by  
> admins.
> Everything is working so far.
>
> No I'm running into trouble:
> Unfortunately, it is possible to invoke actions on the controller  
> without
> using the URLs above - e.g. in the scaffolded code of the show-view  
> there is
> a link to the delete action:
> <input type="submit" name="_action_Delete" value="Delete" />
> I don't know how to prevent users from invoking delete/... methods  
> this way.
>
> Any ideas?

Have you tried the acegi plugin? (Caveat: I've not played with it).  
What you are after is authorisation with control of the UI too.

You can do this with your own taglib I suggest, and generate your  
scaffolding and edit it, or create your own scaffold templates.

Marc
~ ~ ~
Marc Palmer
Grails : Groovy : Java
Blog - http://www.anyware.co.uk/






---------------------------------------------------------------------
To unsubscribe from this list please visit:

    http://xircles.codehaus.org/manage_email

Reply | Threaded
Open this post in threaded view
|

Re: securing app using url patterns

prom-2
Thanks for your reply, Marc.
Yes I'm using the Acegi Plugin.
The problem is not how to hide things on the web page (e.g. using taglibs) - the problem is that it is possible to access controler actions without using the /user/create / edit / delete URLs. This makes it impossible to secure the webapp with acegi.
I think a solution could be to disable the feature of dynamic controler action invocation (using the _action_Delete ... form submission). Actually I have no idea how to do this...

Further help appreciated...

Thanks in advance,
Prom

Marc Palmer Local wrote
On 20 Jun 2007, at 11:33, Prom wrote:

>
> Hi,
> I'm trying to secure my grails app using url patterns (acegi plugin).
> /user/list and /user/show are accessible by anonymous users,
> /user/create, /user/delete and /user/edit are only accessible by  
> admins.
> Everything is working so far.
>
> No I'm running into trouble:
> Unfortunately, it is possible to invoke actions on the controller  
> without
> using the URLs above - e.g. in the scaffolded code of the show-view  
> there is
> a link to the delete action:
> <input type="submit" name="_action_Delete" value="Delete" />
> I don't know how to prevent users from invoking delete/... methods  
> this way.
>
> Any ideas?

Have you tried the acegi plugin? (Caveat: I've not played with it).  
What you are after is authorisation with control of the UI too.

You can do this with your own taglib I suggest, and generate your  
scaffolding and edit it, or create your own scaffold templates.

Marc
~ ~ ~
Marc Palmer
Grails : Groovy : Java
Blog - http://www.anyware.co.uk/






---------------------------------------------------------------------
To unsubscribe from this list please visit:

    http://xircles.codehaus.org/manage_email