Annyce Davis

Davis Technology Consulting

Grails: 6 Must Read Security Tips

by

Courtesy: Yuri Samoilov, Flickr

Grails comes packaged with several application security gems. However, by default some of these features are not enabled. This is especially the case in older versions (2.2.x) of the Framework. 

In this blog post I will review six features that can help support your efforts to protect your application. If you have access to +lynda.com, I also highly recommend the Web Security course by +Kevin Skoglund

Security Tips:

  1. Define allowed request types for all actions
  2. Explicitly specify domain properties to be updated
  3. Turn on HTML encoding by default (older versions)
  4. Define constraints for each field of a domain
  5. Use named or positional parameters in queries
  6. Use the Spring Security Plugin

Tip #1: Define allowed request types for all actions

By default when you create a new controller in Grails, only the save, update, and delete methods have the allowed request type defined.  You want to extend this map to include all of the methods in your controller so that you establish expectations for request methods.  If someone attempts to access a method through another request type they may be trying to bypass your security.

Tip #2: Specify domain properties to be updated

Most examples in the documentation show Grails domain objects being updated by setting the parameter map to the properties of the object.  This can pose a security risk because you are allowing any parameters that match fields in the domain class to be updated; even if those fields were not present in your gsp page.  A better approach would be to explicitly specify which fields of the domain object you want to allow the user to update.
 
Do this:
def save() {
    def b = Book.get(params.id)
    b.properties['title', 'numPages'] = params
    b.save()
}
Not this:
def save() {
    def b = Book.get(params.id)
    b.properties = params
    b.save()
}

Tip #3: Turn on HTML Encoding by default 

This tip applies to older versions of Grails (< 2.3.x), the newer versions already ship with HTML encoding enabled.  By doing this you help to protect your app against Cross-Site-Scripting Attacks (XSS). In your Config.groovy file locate this line: 
grails.views.default.codec='none'

Then change it to:

grails.views.default.codec='html'

Tip #4: Define constraints for each field of a domain

I know this may seem obvious, but making sure you have the appropriate constraints defined will help protect your database.  For example, if you are storing a US zip code in your database; you wouldn’t accept values that do not equal 5 characters.  Further, you wouldn’t accept a negative value would you?  Of course not, so by having the constraints in place you avoid having to go back and clean up data later.  This is just one more layer of protection.

Tip #5: Use named or positional parameters in queries

This helps to protect your app from SQL Injection attempts.  That’s where a nefarious person will attempt to gain access to information in your database that they have no rights to.  Or they could possibly update/delete tables using this method.  There is tons of delightful reading on the subject on the OWASP site.

Tip #6: Use the Spring Security Plugin

The Spring Security Plugin comes with several components that make your application inherently more secure.  By default it protects your request URLS, has very robust password encryption, a very flexible system for defining user roles and configuring access to resources.  I have used it on several projects and personally recommend it to help secure your application.
I hope you will find these six tips useful and please comment on other things that you have done to secure your Grails applications.

Resources:

Android: Custom Gson Deserialization

by

So here’s the scenario you have a JSON Object that contains a list of objects. Each one of the objects in the primary JSON Object also contain a list of objects. So for demonstration purposes we will use a car with a list of seats and each seat has a list of buckles (Car -> Seats -> Buckles). Completely random example, yes I know.

So if you have the use case where you don’t want to deserialize any seats that don’t have buckles this is how you can do it using a Custom GSON Deserializer.

First, this is a sample JSON response which contains the information for each car:

[{
    "description": "A nice car",
    "name": "Toyota",
    "seats": [{
        "buckles": [],
        "type": "front"
    }, {
        "buckles": ["latch", "snap"],
        "type": "front"
    }]
}]

What you will notice is that there is one Seat object that has an empty list of Buckle objects. So in that case you don’t want Gson to include that seat in the final list of seat objects.  We will use two advanced features of Gson: Exclusion Strategies and Custom Deserializer. 

Since we want to handle the “seats” array on our own we will create an Annotation that can be used by Gson to ignore the field during normal processing.

Car Class (portion):

@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.FIELD})
public @interface SkipThis {

}

@SkipThis
private List<SeatVO> seats;

Now we can proceed to exclude any field that has our custom SkipThis annotation by means of an ExclusionStrategy.

private static class SkipThisAnnotationExclusionStrategy
implements ExclusionStrategy {
    public boolean shouldSkipClass(Class clazz) {
        return clazz.getAnnotation(CarVO.SkipThis.class) != null;
    }
 
    public boolean shouldSkipField(FieldAttributes f) {
        return f.getAnnotation(CarVO.SkipThis.class) != null;
    }
}

Finally, we can proceed to create the custom deserializer that will check for the existence of items in the “buckles” array.

@Override
public CarVO deserialize(JsonElement json, Type arg1,
                         JsonDeserializationContext arg2) throws JsonParseException {
  JsonObject carsJSON = json.getAsJsonObject();
  JsonArray seatsJSON = carsJSON.getAsJsonArray("seats");
 
  Gson g = new Gson();
  CarVO carVO = g.fromJson(json, CarVO.class);
  List<SeatVO> res = new ArrayList<SeatVO>();
 
  for (JsonElement elem : seatsJSON) {
    JsonArray bucklesJSON = elem.getAsJsonObject().getAsJsonArray("buckles");
    if (!bucklesJSON.isJsonNull() && bucklesJSON.size() > 0) {
      res.add(g.fromJson(elem, SeatVO.class));
    }
  }
 
  carVO.setSeats(res);
 
  return carVO;
}

The complete code:

Android: Location Updates with the FusedLocationApi

by

If you want to retrieve the user’s location in your Android application you can take advantage of Google’s FusedLocationApi. Essentially you establish a connection to the GoogleApiClient and then set up a LocationRequest.  It’s up to you to configure the rate at which you would like to receive updates.  Here is an example of using the API:

import android.app.Activity;
import android.content.Intent;
import android.location.Location;
import android.net.Uri;
import android.os.Bundle;

import com.google.android.gms.common.ConnectionResult;
import com.google.android.gms.common.GooglePlayServicesUtil;
import com.google.android.gms.common.api.GoogleApiClient;
import com.google.android.gms.location.LocationListener;
import com.google.android.gms.location.LocationRequest;
import com.google.android.gms.location.LocationServices;

import java.util.List;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;

public class MainActivity extends Activity implements
                                           LocationListener,
                                           GoogleApiClient.ConnectionCallbacks,
                                           GoogleApiClient.OnConnectionFailedListener {

    private static final long ONE_MIN = 1000 * 60;
    private static final long TWO_MIN = ONE_MIN * 2;
    private static final long FIVE_MIN = ONE_MIN * 5;
    private static final long POLLING_FREQ = 1000 * 30;
    private static final long FASTEST_UPDATE_FREQ = 1000 * 5;
    private static final float MIN_ACCURACY = 25.0f;
    private static final float MIN_LAST_READ_ACCURACY = 500.0f;

    private LocationRequest mLocationRequest;
    private Location mBestReading;

    private GoogleApiClient mGoogleApiClient;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        if (!servicesAvailable()) {
            finish();
        }

        setContentView(R.layout.activity_main);

        mLocationRequest = LocationRequest.create();
        mLocationRequest.setPriority(LocationRequest.PRIORITY_HIGH_ACCURACY);
        mLocationRequest.setInterval(POLLING_FREQ);
        mLocationRequest.setFastestInterval(FASTEST_UPDATE_FREQ);

        mGoogleApiClient = new GoogleApiClient.Builder(this)
                .addApi(LocationServices.API)
                .addConnectionCallbacks(this)
                .addOnConnectionFailedListener(this)
                .build();
    }

    @Override
    protected void onResume() {
        super.onResume();

        if (mGoogleApiClient != null) {
            mGoogleApiClient.connect();
        }
    }

    @Override
    protected void onPause() {
        super.onPause();

        if (mGoogleApiClient != null && mGoogleApiClient.isConnected()) {
            mGoogleApiClient.disconnect();
        }
    }

    @Override
    public void onLocationChanged(Location location) {
        // Determine whether new location is better than current best
        // estimate
        if (null == mBestReading || location.getAccuracy() < mBestReading.getAccuracy()) {
            mBestReading = location;

            if (mBestReading.getAccuracy() < MIN_ACCURACY) {
                LocationServices.FusedLocationApi.removeLocationUpdates(mGoogleApiClient, this);
            }
        }
    }

    @Override
    public void onConnected(Bundle dataBundle) {
        // Get first reading. Get additional location updates if necessary
        if (servicesAvailable()) {
            // Get best last location measurement meeting criteria
            mBestReading = bestLastKnownLocation(MIN_LAST_READ_ACCURACY, FIVE_MIN);

            if (null == mBestReading
                    || mBestReading.getAccuracy() > MIN_LAST_READ_ACCURACY
                    || mBestReading.getTime() < System.currentTimeMillis() - TWO_MIN) {

                LocationServices.FusedLocationApi.requestLocationUpdates(mGoogleApiClient, mLocationRequest, this);
                
                // Schedule a runnable to unregister location listeners
                Executors.newScheduledThreadPool(1).schedule(new Runnable() {

                    @Override
                    public void run() {
                        LocationServices.FusedLocationApi.removeLocationUpdates(mGoogleApiClient, MainActivity.this);
                    }

                }, ONE_MIN, TimeUnit.MILLISECONDS);
            }
        }
    }

    @Override
    public void onConnectionSuspended(int i) {
        
    }

    private Location bestLastKnownLocation(float minAccuracy, long minTime) {
        Location bestResult = null;
        float bestAccuracy = Float.MAX_VALUE;
        long bestTime = Long.MIN_VALUE;

        // Get the best most recent location currently available
        Location mCurrentLocation = LocationServices.FusedLocationApi.getLastLocation(mGoogleApiClient);

        if (mCurrentLocation != null) {
            float accuracy = mCurrentLocation.getAccuracy();
            long time = mCurrentLocation.getTime();

            if (accuracy < bestAccuracy) {
                bestResult = mCurrentLocation;
                bestAccuracy = accuracy;
                bestTime = time;
            }
        }

        // Return best reading or null
        if (bestAccuracy > minAccuracy || bestTime < minTime) {
            return null;
        }
        else {
            return bestResult;
        }
    }

    @Override
    public void onConnectionFailed(ConnectionResult connectionResult) {
        
    }

    private boolean servicesAvailable() {
        int resultCode = GooglePlayServicesUtil.isGooglePlayServicesAvailable(this);

        if (ConnectionResult.SUCCESS == resultCode) {
            return true;
        }
        else {
            GooglePlayServicesUtil.getErrorDialog(resultCode, this, 0).show();
            return false;
        }
    }
}

Android: Determining if a Wearable Device is Connected

by

I’m playing around with developing an application that integrates with the new Android Wear API. In my case I don’t want to perform certain actions locally if a wearable device is connected. So this is how you can detect if a device is connected. You would have this code included in the Main Activity of your primary (phone) application:

Follow Me

  • Bluesky