Securing devel grails application with single htpasswd like password

Question

I am showing a grails app to some colleagues on a public domain. So far I am working in devel mode and have not deployed via war.

I need to secure the application in order to keep onybody from checking it out / playing with it. I have a user mgmt in place already, but before sb sees anything I would like to have .htpasswd-like protection. If possible, I do not want to enlarge the application itself with plugins (e.g., shiro).

Any thoughts/suggestions?

Thanks a lot!

Answer 1

You could use HTTP authentication. HTTP authentication is dead simple to implement, but it's not very secure or usable. You're better off using shiro or spring-security for a real solution. That said, a simple filter can check for an HTTP Authorization header and return 401 status code if not present. That will force the browser to pop up a username/password box, and resubmit the form with the username and password encoded in the headers.

Grails filters must have a class name that ends with "Filters" and go in the grails-app/conf directory. Here's an example:

class SimpleAuthFilters {
    def USERNAME = "foo"
    def PASSWORD = "bar"

    static filters = {
        httpAuth(uri:"/**") {
            before = {
                def authHeader = request.getHeader('Authorization')
                if (authHeader) {
                    def usernamePassword = new String(authHeader.split(' ')[1].decodeBase64())
                    if (usernamePassword == "$USERNAME:$PASSWORD") {
                        return true
                    }
                }
                response.setHeader('WWW-Authenticate', 'basic realm="myRealm"')
                response.sendError(response.SC_UNAUTHORIZED)
                return false
            }
        }
    }
}

Answer 2

Add the following to $CATALINA_HOME/conf/tomcat-users.xml and restart Tomcat:

<role rolename="role1"/>
<user username="user1" password="password1" roles="role1"/>

At your Grails project root, execute grails install-templates. This will place src/templates/war/web.xml into the project.
(In case the file's not visible in your IDE, this might be a bug. Then find it in the file system.)

Add the following to web.xml (as a child of the web-app tag) :

<security-constraint>
  <web-resource-collection>
    <web-resource-name>
      Entire Application
    </web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>role1</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Restricted Area</realm-name>
</login-config>