Japanese HTTP Method Restrictions

Last updated by admin 3 years ago

HTTP?????? {excerpt:hidden=true} HTTP Method Restrictions {excerpt}

?? {excerpt:hidden=true} Introduction {excerpt}

{excerpt:hidden=true} Often a web application needs to impose restrictions on which HTTP request methods are allowed for specific actions in the application.  For example, initiating any action that destroys or modifies data using an HTTP-GET is generally considered to be a bad idea. {excerpt} ?????Web????????????HTTP??????????????????????????????????????????????????????HTTP-GET??????????????????????????????????????????

??????????? {excerpt:hidden=true} Inspecting The Request Method {excerpt}

{excerpt:hidden=true} The request method may be inspected inside of a controller action and the application may respond however is appropriate.  The code below is a way to prevent the delete action from being invoked using an HTTP-GET.   {excerpt} ??????????????????????????????????????????????????????????HTTP-GET?????????????????????????

class PersonController { def delete = {
  if(request.method == 'GET') {
   // list????????????? 
   redirect(action:list)
  } else {
   // ???????????????????????
  }
 }
}

{excerpt:hidden=true}  Instead of redirecting to some other action the application may want to return a 403 (Forbidden Access) error code like this: {excerpt} ?????????????????????403 (Forbidden Access)??????????????????????

class PersonController { def delete = {
   if(request.method == 'GET') {
   response.sendError(403)
   } else {
   // ???????????????????????
   }
  }
}

{excerpt:hidden=true}  A problem with inspecting the request method inside of the controller action is that this code ends up being repeated in a lot of actions within a controller, in many controllers in an application and in many applications.  For specialized application specific handling of invalid requests this may make sense but for the general case the Grails framework provides a simple declarative syntax to help with this problem. {excerpt} ???????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????Grails???????????????

???????????? {excerpt:hidden=true} Declarative Syntax For Method Restrictions {excerpt}

{excerpt:hidden=true} As of version 0.3 Grails provides a simple declarative syntax to help limit access to controller actions based on the HTTP request method.  The optional allowedMethods property may be added to a controller to let the framework know which HTTP methods are allowed for controller actions.  By default, all request methods are allowed for all controller actions.  The allowedMethods property only needs to be defined if the controller contains actions that need to be restricted to certain request methods. {excerpt} Grails 0.3??????????????HTTP?????????????????????????????????????????allowedMethods????????????????????HTTP?????????????????????????????????????????????????????????allowedMethods????????????????????????????????????????????????

{excerpt:hidden=true} The allowedMethods property should be assigned a value that is a Map.  The keys in the map should be the names of actions that need to be restricted.  The value associated with each of those keys may be either a String or a List of Strings.  If the value is a String, that String represents the only request method that may be used to invoke that action.  If the value is a List of Strings the List represents all of the request methods that may be used to invoke that action.  If the specified restrictions are violated then a 403 will be returned in the response. {excerpt} allowedMethods????????Map??????????Map?????????????????????String??String???????????????????String????????????????????????????????????????String??????????????????????????????????????????????????????403????????

class PersonController {  // action1? POST??????? 
  // action2?????
  // action3?POST???DELETE???????
  def allowedMethods = [action1:'POST',action3:['POST', 'DELETE']]
  def action1 = { … }
  def action2 = { … }
  def action3 = { … }
}