Grails WEB-INF accessible from Deployed app

3
votes

In grails application, one can access the WEB-INF contents including all the .gsp content as well as .class file when deployed.

I am using grails 2.3.5 and deploying the war in the tomcat 7.

You can access the files using

http://mydomain.com/static/WEB-INF/web.xml
http://mydomain.com/static/WEB-INF/grails-app/views/anyview.gsp
http://mydomain.com/static/WEB-INF/grails-app/i18n/messages.properties http://mydomain.com/static/WEB-INF/classes/anyclass.class

Can I disable access to these url in grails?

1
javatomcatgrailsweb-inf
What is your mapping for /static URL? That should be fixed.RaviH
You mean on the UrlMappings.groovy? I tried putting "/static/WEB-INF/**"(view:"/error"), but the result was samezdesam
No servlet container should ever let you see the contents of files under WEB-INF. What server are you using?Burt Beckwith
I am using default plugin provided by grails build ":tomcat:7.0.50". Also deploying on the tomcat 7.0.39 on the production environment has the same issuezdesam
I doubt you have a /static mapping in your web.xml. Please check.RaviH

1 Answers

6
votes

In grails by default, there is resources plugin. And it maps all the resources such as css, js, images, WEB-INF, plugins and META-INF which you will find when you extract war file.

You need to include following line in your config.groovy to include just css, js and images in static resources.

grails.resources.adhoc.includes = ['/images/**','/js/**','/css/**']

You can also use :

grails.resources.adhoc.excludes = ['/WEB-INF/**']

to exclude only WEB-INF.

I don't know whether I should say for more information or just for information. Anyway you can also find some information of this in documentation of resources plugin in configuration part which has title

Controlling the includes and excludes of the adhoc filter: grails.resources.adhoc.includes/excludes