I am showing a grails app to some colleagues on a public domain. So far I am working in devel mode and have not deployed via war.
I need to secure the application in order to keep onybody from checking it out / playing with it. I have a user mgmt in place already, but before sb sees anything I would like to have .htpasswd-like protection. If possible, I do not want to enlarge the application itself with plugins (e.g., shiro).
Any thoughts/suggestions?
Thanks a lot!
You could use HTTP authentication. HTTP authentication is dead simple to implement, but it's not very secure or usable. You're better off using shiro or spring-security for a real solution. That said, a simple filter can check for an HTTP Authorization header and return 401 status code if not present. That will force the browser to pop up a username/password box, and resubmit the form with the username and password encoded in the headers.
Grails filters must have a class name that ends with "Filters" and go in the grails-app/conf directory. Here's an example:
class SimpleAuthFilters {
def USERNAME = "foo"
def PASSWORD = "bar"
static filters = {
httpAuth(uri:"/**") {
before = {
def authHeader = request.getHeader('Authorization')
if (authHeader) {
def usernamePassword = new String(authHeader.split(' ')[1].decodeBase64())
if (usernamePassword == "$USERNAME:$PASSWORD") {
return true
}
}
response.setHeader('WWW-Authenticate', 'basic realm="myRealm"')
response.sendError(response.SC_UNAUTHORIZED)
return false
}
}
}
}