Geek asks and answers

Identify the URL (or controller and action name) of the request that is not authorized by the Shiro Grails plugin

I would like to be able to register requests that my application receives that are unauthorized. Since the Shiro plugin uses HTTP redirection to send the user to auth/unauthorized, the request object is new and I cannot get the original URL; controller / action name; or ask him for parameters.

Is there a way to determine either the source url or the name of the controller and action (and, if possible, request parameters) inside an unauthorized AuthController action?

I look at http://plugins.grails.org/grails-shiro/tags/RELEASE_1_1_3/ShiroGrailsPlugin.groovy as a link to the source of the plugin.

Details:
Grails 1.3.7
Plugin Shiro Grails 1.1.3

+3
source share
1 answer

I had the same problem ... my solution is not perfect:

the browser sends the so-called referent to one of the headers, which you can go through

request?.getHeader('Referer')

But a referrer is something you can really rely on, but most browsers send it.

Another solution might be a filter: try writing the current url to another variable before you call accessControl()in ShiroSecurityFilters.groovy. You can get the current url via request.forwardURI.

Update: just confirmed my last assumption - this seems like the cleanest solution for me:

In ShiroSecurityFilters.groovyreplace

            // Access control by convention.
            accessControl()

with

            // Access control by convention.
            if (!accessControl()) {
                session.deniedUrl = request.forwardURI
                return false
            }

URL- session.deniedUrl / .

+2

More articles:


All Articles