Home/ Questions/Q 8584543
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T21:47:52+00:00

I’ve got a Grails application, using spring-security plugin, deployed on Tomcat and I have

  • 0

I’ve got a Grails application, using spring-security plugin, deployed on Tomcat and I have Apache Httpd server in front of it.
I would like to deploy few php scripts, which perform some file operations, on the httpd server. This seems to be easy, however I’m wondering, if it’s possible, to restrict access to these scripts, so that only clients authenticated in my Grails app would be able to execute them?

I just want to restrict access to the scripts, but on the other end, I don’t want to move them to Groovy/Java due to performance reasons [I don’t want to waste Tomcat time for these tasks].

EDIT:
the php script results in a file [up to 1MB] which is then transferred to the client.
I’ve read this and thought about this reverse proxy from tomcat to httpd, however I’m worried about impact it will have on Tomcat.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can do this with a little mod_perl. Below is an example solution that would need to be tweaked a little so that it only catches the URLs that you want secured and ignores everything else.

    The code below assumes some URL on the Grails server that is secured by Spring Security, and the only thing on that page is the work “ALLOWED”. I used the URL http://mywebapp.com/some-secured-page.jsp.

    The mod_perl code, in a file called MyModPerlFilter.pm is this:

    package MyModPerlFilter;

use strict;
use Apache2::RequestRec;
use Apache2::Connection;
use APR::Table;
use LWP::Simple;

use base qw(Apache2::Filter);

use Apache2::Const -compile => qw(REDIRECT DECLINED M_GET);

use constant BUFF_LEN => 1024;

sub handler : FilterRequestHandler {
    my $r = shift;

    # check only GET requests for /*.php, ignore everything else
    if ($r->uri() =~ m|/.*\.php$| && $r->method_number == Apache2::Const::M_GET) {

        # grab Tomcat session ID from request
        my $jsessionid = $r->headers_in->{Cookie} =~ /JESSIONID=([^;\s]+)/ && $1;

        # fetch secure page with the Tomcat session ID
        my $res = get("http://mywebapp.com/some-secured-page.jsp;jsessionid=$jsessionid");

        # any response other than the word "ALLOWED" redirect to login form
        if ($res ne 'ALLOWED') {
            $r->headers_out->set("Location", "http://mywebapp.com/login.jsp");
            return Apache2::Const::REDIRECT;
        }
    }

    return Apache2::Const::DECLINED;
}

1;

    If the request is a GET for a URL that matches “/*.php” it will directly call a secured page on the Grails server and verifies that it returns the text “ALLOWED”. If the call to the Grails page doesn’t, it means the user isn’t authenticated and redirects them to the Spring Security login page.

    The only tricky part is grabbing the session ID from the request and including that when you call the security check URL. It assumes the session ID is stored in the cookie JSESSIONID, and that your Tomcat is set up to allow session IDs passed in the URL.

    The Apache setup requires mod_perl to be installed, and configured similar to this.

    # location of the mod_perl handler (or use the default locations)
PerlSwitches -I/usr/local/somewhere

<VirtualHost *:80>
    ...

    SetHandler modperl
    PerlMapToStorageHandler MyModPerlFilter

    ...

    # any proxy related stuff here
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
    • 0