You are previewing Programming Grails.

Programming Grails

Cover of Programming Grails by Burt Beckwith Published by O'Reilly Media, Inc.
  1. Special Upgrade Offer
  2. Preface
    1. Who This Book Is For
    2. Other Resources
    3. Conventions Used in This Book
    4. Using Code Examples
    5. Safari® Books Online
    6. How to Contact Us
    7. Acknowledgments
  3. 1. Introduction to Groovy
    1. Installing Groovy
      1. Groovy Console
    2. Optional Typing
    3. Collections and Maps
    4. Properties
      1. Using the AST Browser
      2. Decompiling with JD-GUI
      3. Decompiling with javap
    5. Closures
      1. Interface Coercion
      2. Programmatic Closures
      3. Owner, Delegate, and this
    6. Groovy’s Contributions in the War Against Verbosity
      1. Constructors
      2. Checked Exceptions
      3. Groovy Truth
      4. Semicolons
      5. Optional Return
      6. Scope
      7. Parentheses
      8. Default Imports
    7. Differences Between Java and Groovy
      1. Array Initialization
      2. in and def Keywords
      3. do/while Loops
      4. for Loops
      5. Annotations
      6. Groovy Equality
      7. Multimethod Dispatch
    8. Groovy Strings
    9. Static this
    10. The Groovy JDK (GDK)
      1. DefaultGroovyMethods and InvokerHelper
    11. Metaprogramming and the MOP
    12. Adding Methods
      1. Intercepting Method Calls
    13. Operators
      1. Null-Safe Dereference
      2. Elvis
      3. Spread
      4. Spaceship
      5. Field Access
      6. as
      7. in
      8. Method Reference
    14. Overload Your Operators
      1. Being Too Groovy
    15. def Considered Harmful
    16. Closures Versus Methods
    17. TypeChecked, CompileStatic, and invokedynamic
  4. 2. Grails Internals
    1. Installing Grails
      1. Creating an Application
    2. The Grails Command Line
    3. IDE Support
    4. Plugins
      1. Optional Plugins
      2. Core Plugins
    5. Conventions
      1. Controller and View Conventions
      2. Service Conventions
      3. Domain Class Conventions
    6. More Information
  5. 3. Persistence
    1. Data Mapping
      1. Nonpersistent Domain Classes
    2. Data Validation
      1. Custom Validation
      2. Extreme Custom Validation
      3. Validation Plugins
      4. Friendly Error Messages
      5. Blanks Versus Nulls
    3. Transients
    4. Mapping Collections
    5. Querying
    6. Saving, Updating, and Deleting
    7. NoSQL Support
  6. 4. Spring
    1. Inversion of Control and Dependency Injection
      1. Complex Dependency Configuration Using Spring SpEL
      2. Manually Injecting Dependencies at Runtime
    2. Bean Scopes
    3. Transactional Services
      1. @Transactional
      2. Transaction Proxies
      3. Transaction Utility Methods
    4. Bean Life Cycles and Interfaces
    5. Bean Postprocessors
      1. A Groovier Way
    6. Bean Aliases
    7. Internationalization
    8. Resources
      1. Resource Dependency Injection
      2. ResourceLocator
    9. Data Binding and Validation
      1. Data Binding
      2. Validation
    10. Database Persistence
      1. Thread-Local Holders
      2. JdbcTemplate
      3. Other Database Support
    11. Spring MVC
      1. Filters
      2. Using Spring MVC Controllers
    12. Remoting
      1. Client Access
    13. JMS
    14. EJBs
    15. JMX
    16. Email
    17. Cache Abstraction
  7. 5. Hibernate
    1. Mapping Domain Classes
    2. Dialects
      1. Dialect Autodetection
      2. Dialect Customization
    3. Hibernate Without GORM
      1. hibernate.cfg.xml
      2. HibernateUtil
      3. Author
      4. Book
      5. Experimenting with the APIs
    4. The Session
      1. withSession
      2. withNewSession
    5. Open Session in View
      1. Disabling OSIV
    6. Custom User Types
    7. Optimistic and Pessimistic Locking
    8. Accessing the Session’s Connection
    9. schema-export
    10. SQL Logging
    11. Proxies
      1. equals, hashCode, and compareTo
    12. Caching
      1. Examples
      2. Caching API
      3. Query Caching Considered Harmful?
    13. HQL
      1. executeQuery
      2. Query Syntax
      3. Report Queries
      4. Aggregate Functions
      5. Expressions
      6. Collections
    14. Collections Performance
      1. The Solution
    15. Session.createFilter()
    16. Custom Configurations
    17. Mapping Views and Subselect Classes
      1. Subselect Domain Classes
      2. Selecting with a POGO
    18. get(), load(), and read()
      1. get()
      2. load()
      3. read()
    19. Performance
      1. Caching
      2. Lazy Loading
      3. Transactional Write-Behind
  8. 6. Integration
    1. JMS
      1. XA Support with the Atomikos Plugin
    2. Mail
      1. Sending Email
      2. Sending Email Asynchronously
      3. Sending Email from Log4j
      4. Testing
    3. SOAP Web Services
      1. The Server Application
      2. The Client Application
      3. TCPMon
    4. REST
      1. TCPMon
    5. JMX
  9. 7. Configuration
    1. External config Files
      1. Loading the Configuration
      2. Partitioning Config Files
    2. Splitting resources.groovy
    3. Modularizing Within resources.groovy
    4. Environment-Specific Spring Beans
      1. Beans Closures in Config.groovy
    5. Options for BuildConfig.groovy
    6. Adding Additional Source Folders
      1. Extra Folders Under grails-app
  10. 8. Plugins
    1. Creating a Plugin
      1. Initial Steps
    2. The Plugin Descriptor
      1. Metadata
      2. Life Cycle Callbacks
    3. Splitting Applications into Plugins
      1. Inline Plugins
    4. Building and Releasing
      1. Automated Testing
    5. Running the Tests
    6. Custom Plugin Repositories
    7. Plugin Documentation
    8. Custom Artifacts
    9. Some Notes on Plugin Development Workflow
  11. 9. Security
    1. OWASP
      1. A1: Injection
      2. A2: Cross-Site Scripting (XSS)
      3. A3: Broken Authentication and Session Management
      4. A4: Insecure Direct Object References
      5. A5: Cross-Site Request Forgery
      6. A6: Security Misconfiguration
      7. A7: Insecure Cryptographic Storage
      8. A8: Failure to Restrict URL Access
      9. A9: Insufficient Transport Layer Protection
      10. A10: Unvalidated Redirects and Forwards
    2. Security Plugins
      1. spring-security-core
    3. Other Plugins and Libraries
      1. AntiSamy
      2. ESAPI
      3. HDIV
    4. General Best Practices
  12. 10. The Cloud
    1. Cost Savings
    2. What You Give Up
    3. Cloud Foundry
      1. Database Applications
      2. Scaling
      3. NoSQL, RabbitMQ, and Searchable
      4. Monitoring and the Cloud Foundry UI Plugin
    4. Heroku
      1. Database Applications
      2. Scaling
      3. Build Packs
    5. Other Providers
    6. Other Uses for Cloud Services
  13. 11. AOP
    1. Grails Filters
    2. HTTP Filters
    3. Groovy AOP
      1. Registering Metaclass Interceptors
      2. Error Code URL Mappings
    4. Spring AOP
      1. Enabling Spring AOP
      2. Defining AspectJ-Annotated Aspects
      3. Compile-Time Weaving
  14. 12. Upgrading Applications and Plugins
    1. Why Doesn’t the Upgrade Script Do More?
    2. A General Approach to Upgrading
      1. Upgrading Petclinic: A Case Study
    3. A Short History of Grails
      1. Grails 1.2
      2. Grails 1.2.2
      3. Grails 1.2.4
      4. Grails 1.3
      5. Grails 1.3.1
      6. Grails 1.3.2
      7. Grails 1.3.4
      8. Grails 1.3.6
      9. Grails 1.3.7
      10. Grails 1.3.8
      11. Grails 1.3.9
      12. Grails 2.0
      13. Grails 2.0.2
      14. Grails 2.1.x
      15. Grails 2.2.x
    4. Notes on Upgrading
  15. Index
  16. About the Author
  17. Colophon
  18. Special Upgrade Offer
  19. Copyright
O'Reilly logo

Chapter 9. Security

The purpose of this chapter is to scare you. You are most likely not doing enough to secure your application and your user data, and running a risk of an embarrassing security breach that could gain you a lot of unwanted attention. In Hollywood, they say that all publicity is good publicity, because whether it’s good or bad, it gets people thinking about you. But for websites, this is far less true; users need to trust your site, and if you violate that trust, they will find an alternative. I often joke at conferences when I talk about security that you want to end up on Slashdot because you are awesome, not because you got hacked.

Please note that this is a very cursory discussion of an important topic, and you should make it a priority that at least someone on your team is knowledgeable about security best practices.

OWASP

The Open Web Application Security Project (OWASP) is an organization that collects web application security information and publishes a list of its top 10 highest-priority security risks for web apps; this list is updated every three years, and the most recent is from 2010. Grails does help mitigate some of the risks by default, and using a security plugin helps with others, but it’s important to be aware of the risks and to be security conscious.

A1: Injection

SQL injection is the most common type of injection attack, and Grails applications are largely immune to these, but not entirely. An SQL injection attack typically consists of tricking ...

The best content for your career. Discover unlimited learning on demand for around $1/day.