Grails: 6 Must Read Security Tips

Courtesy: Yuri Samoilov, Flickr
Grails comes packaged with several application security gems. However, by default some of these features are not enabled. This is especially the case in older versions (2.2.x) of the Framework. 

In this blog post I will review six features that can help support your efforts to protect your application. If you have access to +lynda.com, I also highly recommend the Web Security course by +Kevin Skoglund


Security Tips:

  1. Define allowed request types for all actions
  2. Explicitly specify domain properties to be updated
  3. Turn on HTML encoding by default (older versions)
  4. Define constraints for each field of a domain
  5. Use named or positional parameters in queries
  6. Use the Spring Security Plugin

Tip #1: Define allowed request types for all actions


By default when you create a new controller in Grails, only the save, update, and delete methods have the allowed request type defined.  You want to extend this map to include all of the methods in your controller so that you establish expectations for request methods.  If someone attempts to access a method through another request type they may be trying to bypass your security.

Tip #2: Specify domain properties to be updated

Most examples in the documentation show Grails domain objects being updated by setting the parameter map to the properties of the object.  This can pose a security risk because you are allowing any parameters that match fields in the domain class to be updated; even if those fields were not present in your gsp page.  A better approach would be to explicitly specify which fields of the domain object you want to allow the user to update.

Do this:
def save() {
    def b = Book.get(params.id)
    b.properties['title', 'numPages'] = params
    b.save()
}
Not this:
def save() {
    def b = Book.get(params.id)
    b.properties = params
    b.save()
}

Tip #3: Turn on HTML Encoding by default 

This tip applies to older versions of Grails (< 2.3.x), the newer versions already ship with HTML encoding enabled.  By doing this you help to protect your app against Cross-Site-Scripting Attacks (XSS). In your Config.groovy file locate this line: 
grails.views.default.codec='none'
Then change it to:
grails.views.default.codec='html'

Tip #4: Define constraints for each field of a domain

I know this may seem obvious, but making sure you have the appropriate constraints defined will help protect your database.  For example, if you are storing a US zip code in your database; you wouldn't accept values that do not equal 5 characters.  Further, you wouldn't accept a negative value would you?  Of course not, so by having the constraints in place you avoid having to go back and clean up data later.  This is just one more layer of protection.

Tip #5: Use named or positional parameters in queries

This helps to protect your app from SQL Injection attempts.  That's where a nefarious person will attempt to gain access to information in your database that they have no rights to.  Or they could possibly update/delete tables using this method.  There is tons of delightful reading on the subject on the OWASP site.

Tip #6: Use the Spring Security Plugin

The Spring Security Plugin comes with several components that make your application inherently more secure.  By default it protects your request URLS, has very robust password encryption, a very flexible system for defining user roles and configuring access to resources.  I have used it on several projects and personally recommend it to help secure your application.
I hope you will find these six tips useful and please comment on other things that you have done to secure your Grails applications.

Resources: