search

javamelody / grails-melody-plugin

JavaMelody monitoring plugin for Grails, to monitor application performance
https://plugins.grails.org/plugin/grails-melody-plugin
Apache License 2.0
32 stars 31 forks source link

HTTP 302 is not logged #49

Closed artemik closed 6 years ago

artemik commented 6 years ago

Grails: 3.2.11 Plugin: 1.67.0

When using spring security core, unauthorized access results in HTTP 302 redirecting to a login form page. I can't see this HTTP 302 anywhere in the java melody monitoring page being logged, only the login page.

Is it possible to turn it on somehow?

evernat commented 6 years ago

Yes, the melody filter intercepts requests after spring-security-core. See here: https://github.com/javamelody/grails-melody-plugin/blob/master/src/main/groovy/grails/melody/plugin/GrailsMelodyPluginGrailsPlugin.groovy#L16 So it's normal that the requests which are not allowed by spring-security-core are not seen by the melody plugin. It's done like that so that you can protect the access to the monitoring page with spring-security.

I don't think that you can change that from your app, but for information the filter is defined here: https://github.com/javamelody/grails-melody-plugin/blob/master/src/main/groovy/grails/melody/plugin/MelodyConfig.groovy#L37

artemik commented 6 years ago

Is it possible to decouple monitoring and monitoring page functionalities so that they are hit in the following order: 1) monitoring 2) spring-security (restricts access to monitoring page) 3) monitoring-page ?

It's important because now if your login page is being attacked by brute force, you won't see it. If your site is being checked by bots scanning for common admin panel addresses, you won't see it.

evernat commented 6 years ago

It can't be decoupled in the grails plugin. And the monitoring page can't be before the spring-security filter, because it would be a security regression.

But you can change the order of the filters between the melody filter and the spring-security filter. For that, it is needed to call setOrder(-200) on the result of the melodyFilter() method (I think that the order of the spring-security filter is -100 in recent grails versions). So you can add src/main/groovy/MelodyFilterPostProcessor.groovy in your app:

import org.springframework.beans.factory.config.BeanPostProcessor

class MelodyFilterPostProcessor implements BeanPostProcessor{

    @Override
    Object postProcessBeforeInitialization(Object bean, String beanName) {
        return bean
    }

    @Override
    Object postProcessAfterInitialization(Object bean, String beanName) {
        if(beanName == "melodyFilter") {
            bean.setOrder(-200)
        }
        return bean
    }
}

and in grails-app/conf/spring/resources.groovy:

beans = {
    melodyFilterPostProcessor(MelodyFilterPostProcessor)
}

You may also add the javamelody parameter authorized-users to protect the access to the monitoring page.

artemik commented 6 years ago

Thanks, I'll look into that.