I'm relatively new to Spring, but very new to Spring Security and Grails. To be brief, I know its recommended to not allow .jsp files to be servable, you should toss them in WEB-INF, and set up your controllers to pull them from the right place.
How would I go about doing this in Grails? It seems that I would destroy the idea of "convention over configuration" by tossing gsp's into WEB-INF and then writing logic into all my controllers (if that's even immediately possible...) It seems I would have to alter some basic Grails configurations.
Any ideas?
OK, I haven't seen a complete answer for this here (or elsewhere one StackOverflow) that provides a full valid result, so here's what I've come up with:
First, create a new controller:
grails create-controller gspForbidden
Open this up, and add this to the index action:
index = {
response.status = 404
}
Then, open grails-app/conf/UrlMappings.groovy and add this under the static mappings closure:
"/grails-app/**.gsp"(controller:"gspForbidden")
This will redirect any attempts to view a GSP directly to the gspForbidden controller. That controller, in turn, simply renders a 404 - a file not found response. The best thing about this is that it's completely hidden - there's nothing showing that the GS path was correct, so there's less chance of exposing something important about the application design.
I tried repeatedly to figure out how to use UrlMappings to show a 404 without the controller, but I had no success. If you can think of a way, please let me know. I'd much rather have this happen without any explicit controllers.