April 2010 - Armbruster IT Blog

restrict a Grails controller to localhost access only

A common requirement for many web applications is that some parts (aka controllers) should only be accessible from specifc ip addresses. Typically controllers doing some administrative or maintenance work must be protected from non-authroized access. The most complete solution for this is using a full blown security framework like the Grails Acegi plugin. But there’s also a lean and quick solution for this in Grails: use a controller interceptor:

def beforeInterceptor = {
   if (!["127.0.0.1", "0:0:0:0:0:0:0:1"].contains(request.remoteAddr)) {
      render(status: 401, text: 'Access limited to localhost')
      return false
   }
}

Grails calls the beforeIntereceptor closure prior every action in a controller. Only if it returns true, the action is executed. In the code above if the client has a non-local IP address, a 401 error is returned with an error message. Note that localhost in IPv6 is 0:0:0:0:0:0:0:1, so it work both in IPv4 and IPv6 networks.

Grails Neo4j plugin 0.2.1 released

Today I released a minor update of the Grails Neo4j plugin. The changes are:

performance improvement by no longer calling map constructor in createInstanceForNode
fixed transaction handling by replacing interceptor with a “real” servlet filter
support for primitve arrays as properties in domain classes
bugfix: handling of bidirectional many-to-many relationships
bugfix: setProperties does no longer null out properties that have not been set
support for encodeAsXXXX methods from CodecsGrailsPlugin. In previous versions encoding did not work, since the ‘node’
property of the domain classes could not be encoded (it’s a neo4j internal class!). Workaround: add getNode()==null method
in AST transformation.

Everyone using the 0.2 release is recommended to upgrade.