Grails WEB-INF accessible from Deployed app

StackOverflow https://stackoverflow.com/questions/21793642

  •  12-10-2022
  •  | 
  •  

Question

In grails application, one can access the WEB-INF contents including all the .gsp content as well as .class file when deployed.

I am using grails 2.3.5 and deploying the war in the tomcat 7.

You can access the files using

http://mydomain.com/static/WEB-INF/web.xml
http://mydomain.com/static/WEB-INF/grails-app/views/anyview.gsp
http://mydomain.com/static/WEB-INF/grails-app/i18n/messages.properties http://mydomain.com/static/WEB-INF/classes/anyclass.class

Can I disable access to these url in grails?

Was it helpful?

Solution

In grails by default, there is resources plugin. And it maps all the resources such as css, js, images, WEB-INF, plugins and META-INF which you will find when you extract war file.

You need to include following line in your config.groovy to include just css, js and images in static resources.

grails.resources.adhoc.includes = ['/images/**','/js/**','/css/**']

You can also use :

grails.resources.adhoc.excludes = ['/WEB-INF/**']

to exclude only WEB-INF.

I don't know whether I should say for more information or just for information. Anyway you can also find some information of this in documentation of resources plugin in configuration part which has title

Controlling the includes and excludes of the adhoc filter: grails.resources.adhoc.includes/excludes

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top