(Quick Reference)

allowedMethods

Purpose

To limit access to controller actions based on the HTTP request method.

Examples


class PersonController {
    // action1 may be invoked via a POST
    // action2 has no restrictions
    // action3 may be invoked via a POST or DELETE
    static allowedMethods = [action1:'POST',
                             action3:['POST', 'DELETE']]
    def action1 = { … }
    def action2 = { … }
    def action3 = { … }
}

Description

The request method may be inspected inside of a controller action and the application may respond however is appropriate. The code below is a way to prevent the delete action from being invoked using an HTTP-GET.


class PersonController {
    def delete = {
        if (request.method == 'GET') {
            // redirect to the list action
            redirect(action:list)
        } else {
            // the rest of the delete action goes here
        }
    }
}

Instead of redirecting to some other action the application may want to return a 405 (Method Not Allowed) error code like this:


class PersonController {
    def delete = {
      if (request.method == 'GET') {
          response.sendError(405)
      } else {
          // the rest of the delete action goes here
      }
    }
}

A problem with inspecting the request method inside of the controller action is that this code ends up being repeated in a lot of actions within a controller, in many controllers in an application and in many applications. For specialized application specific handling of invalid requests this may make sense but for the general case the Grails framework provides a simple declarative syntax to help with this problem.

Grails provides a simple declarative syntax to help limit access to controller actions based on the HTTP request method. The optional allowedMethods property may be added to a controller to let the framework know which HTTP methods are allowed for controller actions. By default, all request methods are allowed for all controller actions. The allowedMethods property only needs to be defined if the controller contains actions that need to be restricted to certain request methods.

The allowedMethods property should be assigned a value that is a Map. The keys in the map should be the names of actions that need to be restricted. The value associated with each of those keys may be either a String or a List of Strings. If the value is a String, that String represents the only request method that may be used to invoke that action. If the value is a List of Strings the List represents all of the request methods that may be used to invoke that action. If the specified restrictions are violated then a 405 will be returned in the response.