Grails

GR8Conf US 2016 Recap

July 29, 2016 by Annyce Davis Leave a Comment

This was my first time attending GR8Conf and it was a really great experience. I primarily focus on Android Development now, but I enjoy dabbling in some API Development when I find the time. This conference was very inspiring and I plan on investigating many of the new things that I learned. Here are a few highlights of the event:

Overview

So the event took place at The University of St. Thomas in Minneapolis, Minnesota. This was my first time in Minnesota, it’s a very beautiful city. I was especially impressed with the Skyway System, which allows you to walk between buildings without going outside. I took it on as a personal challenge to find the Target store from the main conference building and make it back on my own.

@brwngrldev basically, didn’t see people, discovered they walk around like gerbils in these walkways all day

— Annyce Davis (@brwngrldev) July 28, 2016

The conference is focused on the technologies related to the Groovy ecosystem, such as Grails, Ratpack, Gradle, and Spock. Despite “the hate” that I sometimes hear about Groovy, I’m a big fan and was excited to have the chance to be a part of the conference.

Takeaways

So there were a few sessions that I derived a ton of value from, one was the “Grails Keynote”. It was delivered by Graeme Rocher, the Grails Project Lead. He discussed the many enhancements in Grails 3, such as:

Being Based on Spring Boot
Using the Gradle Build System
The Use of Profiles

He showed how simple it is to use the rest-api profile to create REST applications in Grails. I was really impressed with how quickly he was able to get an application up and running. He also demonstrated some of the upcoming features in GORM to support reactive programming, it was all very exciting to see.

Then during the “Documenting RESTful APIs with Spring REST Docs” talk, by Jenn Strater I really enjoyed learning about the various options available for making sure you have proper documentation for your REST APIs. She showed several examples of using Asciidoctor to generate documentation snippets. I had never seen that approach of using tests to ensure documentation was written before. I would love to see something similar for Android libraries perhaps.

Learning about Spring REST Docs with @codeJENNerator, documenting your API. #gr8conf pic.twitter.com/G4HpAflFxb

— Annyce Davis (@brwngrldev) July 28, 2016

I also really enjoyed the information shared during the “Feeling Groovy” talk. Ken Kousen brought up several compelling points about the perception vs. reality of the Groovy ecosystem. Specifically he spoke on how some perceive Groovy as being “in trouble”, yet it’s an extremely stable language backed by a very engaged community. He also showed several examples of how Groovy as a language shines in comparison to Java. The talk ended with a rallying cry for those in the community to share their positive experiences with others. It was truly well done!

Further, it was really great to meet people in real life that I only knew from Twitter, like Ken and Jenn.

.@devlifehax I got to finally meet @kenkousen and you’ll be happy to know we left our capes at home 😉 #gr8conf pic.twitter.com/yp8sAjMz9K

— Annyce Davis (@brwngrldev) July 29, 2016

This was my first time giving two talks at one conference. It was a little stressful, I admit, but I’m glad I stepped up to the challenge and had the opportunity to meet such friendly, interesting people.

Make sure you subscribe to my newsletter to keep up with my Speaking Adventures. Until next time…

Talk: From Grails to Android

July 28, 2016 by Annyce Davis Leave a Comment

One of the key new features of Grails 3 is the use of Gradle for its build system. The Android Framework also uses the Gradle build system to build, test, run and package applications. In this talk, learn how to move from developing applications for Grails 3 to Android.

It covers:

Project Structure Similarities
Use of Gradle Commands
User Interface: GSP Pages vs. Android Layout XML Files
Dependency Injection: Spring vs. Dagger

Resources

If you would like to view some of my Android related video content, I encourage you to check out my video course and bite-sized tutorials available on Caster.io.

Grails: 6 Must Read Security Tips

December 5, 2014 by Annyce Davis Leave a Comment

Courtesy: Yuri Samoilov, Flickr

Grails comes packaged with several application security gems. However, by default some of these features are not enabled. This is especially the case in older versions (2.2.x) of the Framework.

In this blog post I will review six features that can help support your efforts to protect your application. If you have access to +lynda.com, I also highly recommend the Web Security course by +Kevin Skoglund.

Security Tips:

Define allowed request types for all actions
Explicitly specify domain properties to be updated
Turn on HTML encoding by default (older versions)
Define constraints for each field of a domain
Use named or positional parameters in queries
Use the Spring Security Plugin

Tip #1: Define allowed request types for all actions

By default when you create a new controller in Grails, only the save, update, and delete methods have the allowed request type defined. You want to extend this map to include all of the methods in your controller so that you establish expectations for request methods. If someone attempts to access a method through another request type they may be trying to bypass your security.

Tip #2: Specify domain properties to be updated

Most examples in the documentation show Grails domain objects being updated by setting the parameter map to the properties of the object. This can pose a security risk because you are allowing any parameters that match fields in the domain class to be updated; even if those fields were not present in your gsp page. A better approach would be to explicitly specify which fields of the domain object you want to allow the user to update.

Do this:

def save() {
    def b = Book.get(params.id)
    b.properties['title', 'numPages'] = params
    b.save()
}

Not this:

def save() {
    def b = Book.get(params.id)
    b.properties = params
    b.save()
}

Tip #3: Turn on HTML Encoding by default

This tip applies to older versions of Grails (< 2.3.x), the newer versions already ship with HTML encoding enabled. By doing this you help to protect your app against Cross-Site-Scripting Attacks (XSS). In your Config.groovy file locate this line:

grails.views.default.codec='none'

Then change it to:

grails.views.default.codec='html'

Tip #4: Define constraints for each field of a domain

I know this may seem obvious, but making sure you have the appropriate constraints defined will help protect your database. For example, if you are storing a US zip code in your database; you wouldn’t accept values that do not equal 5 characters. Further, you wouldn’t accept a negative value would you? Of course not, so by having the constraints in place you avoid having to go back and clean up data later. This is just one more layer of protection.

Tip #5: Use named or positional parameters in queries

This helps to protect your app from SQL Injection attempts. That’s where a nefarious person will attempt to gain access to information in your database that they have no rights to. Or they could possibly update/delete tables using this method. There is tons of delightful reading on the subject on the OWASP site.

Tip #6: Use the Spring Security Plugin

The Spring Security Plugin comes with several components that make your application inherently more secure. By default it protects your request URLS, has very robust password encryption, a very flexible system for defining user roles and configuring access to resources. I have used it on several projects and personally recommend it to help secure your application.

I hope you will find these six tips useful and please comment on other things that you have done to secure your Grails applications.

Resources:

Grails: Functional Testing with Geb and Spock

April 1, 2014 by Annyce Davis Leave a Comment

Functional testing allows you to execute HTTP requests against your running application and verify if it’s performing the desired behavior.

Since Grails doesn’t ship with any direct support for functional testing (using Grails 2.2.4) I decided to use a common configuration of Geb with Spock for my testing needs. My configuration files are included below. I had to modify BuildConfig.groovy and then include a separate configuration file for Geb.

BuildConfig.groovy

    repositories {
       mavenRepo "http://mvnrepository.com/artifact/org.seleniumhq.selenium/selenium-support"
    }

    def gebVersion = "0.9.2"
    def seleniumVersion = "2.35.0"

    dependencies {
        test "org.seleniumhq.selenium:selenium-chrome-driver:$seleniumVersion"
        test "org.spockframework:spock-grails-support:0.7-groovy-2.0"
        test "org.gebish:geb-spock:$gebVersion"
        test "org.seleniumhq.selenium:selenium-support:2.40.0"
    }

    plugins {
        test ":geb:$gebVersion"
        test (":spock:0.7") {
            exclude "spock-grails-support"
        }
    }

The tests and config files are stored in the test/functional folder of the main application. In the primary functional folder you can place your GebConfig.groovy file. There are various configuration options available to you. I prefer to use a very simple version, consisting of the following:

GebConfig.groovy

import org.openqa.selenium.chrome.ChromeDriver

reportsDir = "target/geb-reports"
driver = { new ChromeDriver() }

You will also need to install the ChromeDriver. Info available here.

Once that’s done, you should define some Geb Pages that represent the corresponding gsp pages in your application. I typically define three key components: the url, the at closure, and the content closure. These elements will be used in your Spock Specification to navigate to the desired page in your application, verify that you are at the correct page and then interact with elements on the page that you define in the content closure.

Sample Page

import geb.Page

class LoginPage extends Page {

    static url = "login/auth"

    static at = { title == "Login" }

    static content = {
        loginForm { $("#loginForm") }
        loginButton { $("#loginButton") }
        registerLink { $("a[href*='register/index']") }
    }
}

Sample Spec

import geb.spock.GebReportingSpec
import spock.lang.Stepwise

@Stepwise
class LoginSpec extends GebReportingSpec {

    def "invalid login"() {
        given: "I am at the login page"
        to LoginPage

        when: "I am entering invalid password"
        loginForm.j_username = "[email protected]"
        loginForm.j_password = "ioguffwf"
        loginButton.click()

        then: "I am being redirected to the login page"
        at LoginPage
        !loginForm.j_username
        !loginForm.j_password
    }

    def "admin login"() {
        given : "I am at the login page"
        to LoginPage

        when: "I am entering valid username and password"
        loginForm.j_username = "[email protected]"
        loginForm.j_password = "me"
        loginButton.click()

        then: "I am being redirected to the homepage"
        at HomePage
    }
}

Spock specifications are very simple to read and should be written in such a way that it’s very clear what you are attempting to test and verify. In this case, the LoginSpec, the specification has only two methods which are executed in order. The first makes sure that when a user enters invalid login credentials they are redirected back to the log in page. The second verifies that they are taken to the HomePage when the login succeeds.

In order to run your functional tests you can use the following commands:

grails test-app functional: -https
grails test-app -clean functional: LoginSpec -https

I add the -https flag because my application has support for https and I want to be able to test that functionality as well.

Happy testing!