Introduction
This article examines security related Grails-specific techniques of web application development for application users of hand-held devices such as mobiles and tablets.
Assumption: The article assumes that the end-users would access these applications using mobile web browsers that can render HTML and HTML5, JavaScript code in the web browser container. Native mobile application interfaces are expected to work equally well when they are designed to access the business logic using server side components in the Grails platform using loosely-coupled interfaces such as end-user views based on REST API calls.
The principles and best practices of secure web application using Grails (please refer to article on web security and Grails) apply regardless of end-users using the application on either desktop or handheld interfaces, or both.
Technical Approaches
When it comes to securing users and users' data in web applications, Grails makes it easier and convenient to design server side business logic using the built-in approaches based on the rapid application development platform.
Controller Interceptors
Controller interceptor are essentially controller class action interceptor closure method that can provide security related safety nets before executing actual controller action bound to the URL. It can also be a map of specific interceptor method reference and conditions such as; which controller action to skip or which action to apply.
For example, if a bookmarked URL is insecurely accessed, either by unauthenticated but valid user, or by an invalid user, the controller behind the URL action can be intercepted to route the user to a login page or register first page.
defbeforeInterceptor = [action: this.&authorize, except: 'login']
private authorize() {
if (!session.user) { redirect(action: 'login') return false }
}
def login() { // show login view }
Grails Filters
Interceptors are simple to user and works well but is quite unwieldy for large applications as this works on a single controller class basis and also involves adding interceptor code to controller classes. A better approach is to decouple the security filter code in separate classes that applies to controller actions, controller and URLs.
In Grails, filters are defined in filter classes using design by convention technique. These filters can be used for enforcing security in accessing features exposed as controller actions. Filter classes are defined with name that ends with Filters as per Grails convention over code philosophy.
The filter definition is pretty comprehensive and includes other parameters as well that can be optionally defined (Please refer to Grails documentation for more details).
Within the body of the filter, one can also filter types as follows:
•Before - Executed before the action. Return false to indicate that the response has been handled that all future filters and the action should not execute, which is handy for business security rules.
•After - Executed after an action is executed within a controller
•AfterView - Executed after view rendering. Takes an Exception as an argument which will be non-null if an exception occurs during processing.
An example, below is a security filter class that has several filters defined for a finance web application:
classSecureAccessFilters {
def filters = {
SecurityFilter(controller:'AccountManagement', action:'*') {
before = {
if (!session.user&&!actionName.equals('login')) {
redirect(action: 'login')
return false
}
}
}
}
Advanced Security Implementation Approaches
The above approaches are for simple security measures which may suffice for many simple applications. If one needs enhanced security measures such as role-based authorization, authentication, data security; Grails allows one to include sophisticated security features using Grails plugins. Spring Security and Apache Shiro are most popular in this space.
They provide similar features and differ only in the ease of implementation and cost of implementation. Spring security Grails plugin has a Core plugin which supports form-based authentication, encrypted/salted passwords, HTTP Basic authentication, etc., and can support secondary dependent plugins that provide alternate functionality such as OpenID authentication, ACL support, single sign-on with Jasig CAS, LDAP authentication, Kerberos authentication, and a plugin providing user interface extensions and security workflows.
Summary
We looked at various approaches to securing web applications accessible in desktop computers, mobile devices such as mobile phones, smart phones and tablet PCs.
For the last 8 years, Sigma Infosolutions Grails Development team is using this innovative open source web-application platform that offers new levels of productivity. Sigma Infosolutions' Grails Development team seamlessly integrates with your existing processes and work flows to work with data as non-intrusively as possible. We use agile methodologies and develop high quality, easy to use applications in small time that meets every user's expectations and requirements.
Besides Grails, Sigma Infoslolutions' also has expertise in technologies like Spring, Struts, Hibernate, JSP/Servlets, Java Beans (EJB), AWT/Swing and many more.
Call today at 1-888-861-7360 or write us at sales@sigmainfo.net to discuss your Application Development requirement.