Closed artemik closed 6 years ago
Yes, the melody filter intercepts requests after spring-security-core. See here: https://github.com/javamelody/grails-melody-plugin/blob/master/src/main/groovy/grails/melody/plugin/GrailsMelodyPluginGrailsPlugin.groovy#L16 So it's normal that the requests which are not allowed by spring-security-core are not seen by the melody plugin. It's done like that so that you can protect the access to the monitoring page with spring-security.
I don't think that you can change that from your app, but for information the filter is defined here: https://github.com/javamelody/grails-melody-plugin/blob/master/src/main/groovy/grails/melody/plugin/MelodyConfig.groovy#L37
Is it possible to decouple monitoring and monitoring page functionalities so that they are hit in the following order: 1) monitoring 2) spring-security (restricts access to monitoring page) 3) monitoring-page ?
It's important because now if your login page is being attacked by brute force, you won't see it. If your site is being checked by bots scanning for common admin panel addresses, you won't see it.
It can't be decoupled in the grails plugin. And the monitoring page can't be before the spring-security filter, because it would be a security regression.
But you can change the order of the filters between the melody filter and the spring-security filter. For that, it is needed to call setOrder(-200) on the result of the melodyFilter() method (I think that the order of the spring-security filter is -100 in recent grails versions).
So you can add src/main/groovy/MelodyFilterPostProcessor.groovy
in your app:
import org.springframework.beans.factory.config.BeanPostProcessor
class MelodyFilterPostProcessor implements BeanPostProcessor{
@Override
Object postProcessBeforeInitialization(Object bean, String beanName) {
return bean
}
@Override
Object postProcessAfterInitialization(Object bean, String beanName) {
if(beanName == "melodyFilter") {
bean.setOrder(-200)
}
return bean
}
}
and in grails-app/conf/spring/resources.groovy
:
beans = {
melodyFilterPostProcessor(MelodyFilterPostProcessor)
}
You may also add the javamelody parameter authorized-users
to protect the access to the monitoring page.
Thanks, I'll look into that.
Grails: 3.2.11 Plugin: 1.67.0
When using spring security core, unauthorized access results in HTTP 302 redirecting to a login form page. I can't see this HTTP 302 anywhere in the java melody monitoring page being logged, only the login page.
Is it possible to turn it on somehow?