ColdFusion Community

CFObjective Notes: How Groovy and Grails made me a better ColdFusion Developer - Scott Stroz

How Groovy & Grails made me a better ColdFusion Developer - Scott Stroz

What is groovy?
OO language for java
dynamic language w/ similar feature set to Python and Ruby
compiled to JVM byte code
interoperates w/ other java code and libraries
-- most java code is also syntactically valid groovy
like CF script all grown up
like java if it were written today

What is Grails?
open source web app f/w
--uses Groovy
uses coding by convention paradigm
(no fuse.xml config files)
provides a full stand-alone dev environment
--- can code in Grails, have different settings, objects, etc, for different environments, and it will use those objects when you build the Dev or Production version of your app
adds persistence w/ Grails ORM (GORM)
deployed as a WAR file

How are they like ColdFusion?
Groovy is an easy way to leverage Java without having to write Java code
Both grails/groovy use script based syntax
grails uses tab based syntax in view pages
all are fun and easy to learn
...ColdFusion is all those things too

Groovy / Grails
combination of favorite things
script syntax, fw/1, orm, coldspring, mx unit, validate this
...all INCLUDED by default in Groovy / Grails

IDE
2 main options
InteliJIDEA
Spring Tool Suite

First, install Groovy/Grails.
there is good documentation for this, regardless of the IDE you use

Creating a Grails Project
-- uses command line
grails create-app [app name]
or in IntelliJ
quick start 'create new project' options.

IntelliJ has a "grails view"
-- shows you the stuff you need in a way that's easy to develop when doing a Grails app
-- directory structure looks different than the directory structure from the command line / windows explorer

Domain classes
your "stuff"
the objects we use to define our business model
User, UserType objects, etc.
similar to ORM in CF but they do a lot more
--- GORM is the actual engine that's used for this
by default Grails uses Hibernate for persistence, but you can swap in whatever you want (mongoDB, etc)
via use of static variables called "constraints", it sets up your validation

don't NEED semicolons but you can use them (but IntelliJ will tell me i don't need them)

Relationships -- easy to read, easier to do than CF ORM
class User
{
static hasMany = [favoriteSports : Sport]
}

depending on where you define these relationships will dictate how things cascade

constraints
static contraints = {
firstName blank: false, maxSize 50;
}
all constraints are processed at 2 different places
object.save()
object.validate()

so now in CF, a better practice would be to have the save() method call the validate() method inside it
that makes it impossible to save an object that hasn't been validated first

can write regex for your constraints too

That was all the 'model' stuff, now let's look at "controllers"...

can build from the command line
can also run the command from IntelliJ
generate-all command
creates controllers for each model in your app
full CRUD methods in your controllers
list, save, create new, etc
creates view files
can download plugins that allow you to use Bootstrap templates as your views.
creates test files
-- generated code isn't the best, but it gets you started
Grails lets you test your Controllers!

URL
http://site/user/list

same as in FW/1 or ColdBox
calls User.list() method in the controllers
uses the list.cfm file in the /views/user folder

instead of "rc" like ColdBox, in Grails you use "params"

Dynamic finders
User.findByLastName( "stroz" )
User.findBydobBetween( date1, date2 )
"findBy" is a keyword and the rest of the method is just based on a property name

Grals understands "environments"
Dev
Test
Production
can perform different actions based on environment
-- use mock services for test/dev
-- run processes to populate database in test/dev

Running the app
grails run-app (or click "play" in IntelliJ")
spins up the JVM

CAN do step-debugging!
CAN do breakpoints!

Some caveats
by default Grails "dev" and "test" env's use an "in memory" h2 database
-- this means every time you start app, you have NO DATA
-- modify datasource.groovy to use the file based h2 database or other RDMS

other tidbits
"return" is optional
-- whatever is returned from the last line of code, IS what the method will return (unless you specify something)
"safe navigation" operator
user?.firstName
-- if firstName is null, it won't throw an error (CF throws an error)

Elvis operator
shortcut ternary operator ?:
displayName = user.firstName ?: "None"

Classes and methods are public by default

nifty looping construct
(1..5).each{
// do stuff
}
...runs that loop 5 times

tons of plugins
-spring security
-twitter bootstrap templates
-css/js minification
-jquery
-resource management
-caching
-etc

"Groovy Truth" -- all objects can be coerced into a boolean
if( user )
...if user doesn't have any values, it returns "false"

optional parentheses
method( a, b )
same as
method a, b

Resources:
grails.org
-- amazing documentation
groovy.codehaus.org

Using PhoneGap to Build Mobile Applications - Matt Gifford

Using PhoneGap to Build Mobile Applications - Matt Gifford

(Ray Camden was originally supposed to do this presentation, but had to fly home early, so Matt stepped in to cover for him. It seriously didn't come across like any sort of "last minute" thing; Matt's presentation went exceptionally well. This may have been the highlight of the conference for me, and I'm not just saying that because I won a free book in this session. :) )

Ray was set up to do the demos with iPhone
Matt's using Android instead (which works better for me, as I spend more time in Android devices anyway)

Genesis of PhoneGap
started in 2009 by Nitobi
Adobe bought Nitobi

PhoneGap is free
and open source

Creates NEAR-hybrid apps
Tries to follow standards
when it doesn't need to do anything, it doesn't
in the perfect world, PhoneGap won't exist

Features--
Contacts
Device
Events
File
Geolcation
Globalization - date/number/currency formatting
Media - related to audio playback (supports record as well)
Notification - visual, audible, and tactile notifications
Splashscreen - for your splash screen needs
Storage - mini database

Unofficial features
NO restriction on which JS libraries you use
-- jQuery Mobile, Backbone, whatever
use any API you want
easily deploy to the app store

Non-features
not a UI
can't convert CF/PHP/Perl sites to native
not a native app killer

Who is using PhoneGap?
wikipedia
bbc
hockey community
etc
over 1million downloads

Not limited to any IDE
uses Eclipse, CFBuilder, etc

Most important bit of JS in PhoneGap:
document.addEventListener("deviceready", onDeviceReady, false);

used to HAVE to use Eclipse to build a PhoneGap project, edit the manifest file, etc, lots of headaches
Now, can do it from the command line using the PhoneGap "create" command
-- gives you options for which type of platform you're targeting (iOS, Android, etc)

can share 1 codebase for android and iOS versions of your app (the /www folder)
up until you use plugins, then it starts to break.

can also generate your projects via the apache site.
-- kind of confusing, not a good option to explore

PhoneGap Build
http://build.phonegap.com
builds everything FOR you in the cloud
no manifest files or other weirdness required.
-include cordova-VERSION.js
-only does what it has to
-config.xml
-plugins
...but it doesn't ALWAYS work. sometimes the build fails. just hit "rebuild" and try it again.

building iOS apps fail by default on the first run
...because you need a product key

In the real world
BEST way to test is actually ON the device
but you also CAN build...
in the desktop browser
mobile via web
Ripple emulator
Local SDK to Simulator / Device

Desktop Browser
- super fast because we don't need to "go" anywhere
- can use whatever browser testing tools we know and love
but...
- UX isn't right
- UI isn't right
- features missing (onDeviceReady won't run)
- security restrictions

Mobile via Web
- kinda fast
- get SOME idea of UI and UX
- but debugging is bad

Ripple Emulator
- amazing tool
- open source, written in JavaScript
- allows you to emulate a number of devices
but...
- doesn't support ALL of the phone gap api
and it's still not "on the device"

emulate.phonegap.com
installs the chrome extension

** always check for network connectivity in your apps
event listeners for "online" and "offline"

don't forget: your'e JUST building a web app, and slotting phonegap.js in afterward
can build ANY front-end web app, just like always

PhoneGap Build 411
supports the big and small players -- android, iPhone, blackberry, symbian
as an API
no SDKs, no compiling, no mess

what you WILL screw up 1 or 2 times...
when you create your app
PhoneGap Build will INJECT its own phone gap.js file in the app
so you're NOT supposed to have it in the uploaded project

config.xml
used to configure stuff. instead of the "manifest" file you'd use if you were building native android (for example)
no validator, so get it right
can test this with the Ripple emulator

not required, but put and in your xml file too so it displays it in the phonegapbuild site. if you'er working with at team of guys, this can help each other see what's what.

<preference>
all use basic name/value pair syntax

using phonegap-version preference, can specify which PG version we want PGB to use when building the app
orientation - landscape/portrait
target-device - can set to "universal" for all devices
webviewbounce
etc

can set "max and min SDK" for android devices

<feature> tag
turn on/off which features you need for your device
battery, camera, file, media, network, etc.
including them all doesn't have any performance issues
just tells PGB "tell the device, i want to use these permissions"
if you don't want to use ANY of them you can say
<preference name="permissions" value="none" />

By default, app gets NO access to external resources.
if you want to start doing an ajax request to a server, have to tell it in the config.xml "i want to go to this domain".
can also use wildcards to access any external resource

build.phonegap.com/docs/config-xml
-- great resource for the config.xml
-- lists all the available notes, features, etc.

Access element
<access origin="https://build.phonegap.com" />
"i only want my app to access THIS website"
etc

what happens when you click on a link?
on Android, if it's white listed, it will take over the web view, otherwise it opens a browser
on iOS if whitelisted, a regular link takes over web view, one with target="blank" opens in a browser. if NOT whitelisted, it is blocked
for more info
https://build.phonegap.com/blog/access-tags
Remember inAppBrowser feature
-- used to be called "child browser" as a plugin

ConfiGap
http://aj-software.com/configap/
AIR app
allows you to build the XML with a GUI

CFBuilder extension (that matt wrote!) that gives you a GUI to build the config.xml file from within CF Builder
phonegapbuild.rigaforge.org

Hydration--
improves compilation speed
takes your PG app, and when it compiles it, it creates a native binary wrapper around the PG app, and when you d/l it on the device, every time, it will make a call to the PG server to detect if a new version is available for download
-- so install the app ONCE, and it always checks for later versions
when you first make a PGB project, there is an "enable hydration" checkbox, that's how you add it to your project

sometimes the build services goes wrong
a good way to keep an eye on things is http://pgbuildstat.us

debug.phonegap.com
"weinre"
basically a remote version of Firebug, Chrome Dev Tools, etc
to add this to your app: check the "enable debugging" box in PGB when making a project

PGB API--
everything returned is in JSON
some prebuilt api libraries out there for interacting with the PGB api - php, node.js, etc.
build.phonegap.com/docs/api
can use to find out how many projects i have, info about a specific app, etc.

also an extension in Brackets (downloadable from the Git repo)
so i can send projects to PGB straight from my Brackets IDE

Dreamweaver has an option added to CS5.5 for this too

autobuild.monkeh.me
-- free service
-- add a web service hook to Git


Plugins
PG can already interact w/ a lot of the phone's features, but not everything
it'd be nice to interact w/ Facebook, a generic "push" service, etc.
we can, with plugins
-- written in their native language (that follows an API, so i'd have to write it in objective C)
ship w/ a javascript wrapper (so i actually write objective C plus javascript for the wrapper)
include them in your project

examples:
TTS (text to speech)
barcode scanner
SMS
intents
push notifications
child browser (now in PG as "InAppBrowser")

doing that in PGB is much harder
to cater for the different platforms, the developers writing the plugins need to change a LOT so it can be pushed into all the device types
so as a result, not all the open source plugins work for all phones

ChildBrowser (but don't use it, use InAppBrowser instead)
Barcode Scanner
various others...

the way you define a plugin: via the config.xml file
<gap:plugin name="BardcodeScanner" />

then in index.html:
<script src"barcodescanner.js"></script>
...but you DONT include the barcodescanner.js file in your project - PGB auto-includes it when you build your app


Your options for debugging
stick to the desktop
remote debugging (mobile web, chrome/safari)
console.log()

UI
many options
pick a framework that works for you - query mobile, bootstrap, topcoat
DIY

jquery mobile
-takes a "i'll just make everything pretty for you" approach
- book: query mobile web development essentials (version 2 is coming out soon)

bootstrap
responsive layout

topcoat
new one, released by adobe
kind of bootstrap-ish
1 file for desktop, 1 file for mobile
topcoat.io

Performance -- Some tips
click versus touch, click is quicker than touch
click works 100% of the time
remote data via ajax isn't magically slender
perception is everything
cache static data
cache dynamic data

PG has HTML5 local storage - make use of it
if you're using a mustache template, whatever, store it in local storage

Some more tips --
check yr JS framework
learn CSS performance (hardware acceleration)
-- often underused, people rely on jquery animations way too much
learn from the past
additional resources
-- Christophe Coenraets - block post about 10 performance techniques for phone gap apps
Brock Whitten has stuff too
book: Matt's cookbook

CFObjective Notes: Mobile but Secure - Bilal Soylu

Mobile but Secure - Bilal Soylu

Insecure Data Storage
we have all these files for storage - sql lite database, log files, xml, cookie stores, etc
how sure am i that NO other application can read it?
confidentially of data is lost
Credentials disclosed
if i have a mobile version of something on my desktop, they should NOT use the same credentials. don't want someone hacking the mobile app to be able to break into the web app too
caches can be read too
if you have to store stuff, store it in the right way, in the right place
use the right kind of encryption
assign permissions to the files that your app generates

Weak Server Side Controls
all the pipes to the back end need to be secure
trust needs to be established
Autenticate, Authorize, Type, and Content

Know Your Basics
OWASP Top 10 list changed in 2013
injection
broken auth and sees
xss
insecure direct object refs
security misconfigs
sensitive data exposure
etc, etc

Thoughts
so you THINK you know all the stuff, you've read the blogs, etc.
we're still trying to learn today how mobile fits into everything

Common API Pattern (bad)
REST API
call comes in via REST, you authenticate and validate, and can request whatever you want
now i do the SOAP api on top, do i do the same thing on top?
now a socket on top of that
...and now i have THREE areas people can attack me thru

Improved Surface Attack
think about a channel as kind of a "transport layer" into our app
normalize the layers
regardless of how the data came in, normalize what goes into your system
then i have ONE service layer to secure, instead of 3 or 4 different ones
REST may be good for convenience, but maybe not good for minimizing attack surfaces
easier to control "1 door" than "many doors"

Insufficient Transport Layer Protection
transporting things OUTside of https isn't a good idea
many transports combine plain text with sensitive data
poor planning about security
ignore errors
-- certificate warnings and expirations

at the airport, make your laptop a hotspot
name it the SAME as the airport wifi
then install Charles
and bam...can sniff everyone's connections. they'll all connect to YOU instead of the real airport wifi. people don't think about this when connecting to wifi

Impact
when you have sensitive data, use SSL
in your mobile app you should "question your connections"
don't ignore errors
even tho it's painful, let's make the app "right"
make sure the servers we're hitting are proper, don't use self-signed certs in Production, etc.

Client Side Injection
Our old friends -- XSS and XHTML injections
SQL injections
normally in XSS the intent is to hit some other user
still may be the case in your mobile apps.

XSS new target is your device
target is not the server but the app running on the client

Mitigation
how can we get better?
sanitize or escape all inputs
once data has left the server, never ever ever trust it
white lists are good techniques
we aware of the inputs you use
if i'm expecting GPS input, does the data LOOK like GPS input?

XSS via HTML5 forms
HTML5 is cool, but makes some exploits easier
new form elements
form action can be exploited, in banner ads, etc.

XSS via HTML5
check 3rd party code that you display
use reliable partners
the "form action" thing was supposed to be an HTML5 -feature- but features can be exploited too.

how long do people use your application if it's not convenient?
need to strike a balance in convenience and security

multi-factor author is a good idea
out of band does not work if everything is on the same device
if i have a man in the middle attack on my phone, then logging in and calling my phone for auth doesn't solve anything -- it's all the same channel, it's not "OUT of bound"

Improper session handling
difference in sessions on mobile / desktop
sessions on mobile are much LONGER
which increases the chances for it to be insecure

Don't use Device IDs

sometimes you have to ask for re-authentication
-- set expirations for use
build active revocation into your sessions so stolen devices can quickly be disabled
use proper token generation techniques
build a way to DISABLE sessions into your apps

Security Decisions via Untrusted Inputs
some mobile apps introduce extra features, can be invoked by URL schemes,
if I can use the Skype protocol via URL, could i make a phone call just by building that URL?
so i could have an app that just makes phone calls or sends text....without consent!

Side Channel Data Leakage
Don't log credentials or sensitive data
remove sensitive data and screenshots
if you have debug libraries in your app, what are they doing?
review 3rd party libraries
-- what data do they use / transmit
are you taking screenshots with Weinre? With passwords in the screenshots? Or other sensitive data?
remember to delete those screenshtos when you don't need them any more, so they're not on the device for other apps to see and exploit

Apple and iOS - when they started logging where people were in GPS, that data went into a log file. Irritated a LOT of people.

Broken Cryptography
Encoding, Obfuscation and Serialization are NOT encryption
broken encryption = you used short keys rather than proper length keys,, etc. stuff that can be easily bypassed.
do not store keys on the same media you use them on
-- storing the key WITH the encrypted data...bad idea
use proven cryptography libs (don't write your own. it's hard).
-- there are enough libraries out there that do it RIGHT
take advantage of platform libs if possible

Sensitive Information Disclosure

don't store sensitive info on devices
don't transfer them TO the device either
never hardcode passwords
don't store passwords in code -- that's plain text!

Indicating Trust Within Your Code

Keep current with updates
so you're not as easy of a target

Stay vigilant!

Resources:
OWASP www.owasp.org
Security Vendors - Symantec, etc

CFObjective Notes: ColdFusion Builder: IDE to Boost Your Productivity - Elishia Dvorak

ColdFusion Builder: IDE to Boost Your Productivity - Elishia Dvorak

CFB 2.01 focus was performance
2.01 has a bit performance improvement over 2.0
plus CF10 support
-- documentation libraries
-- server config is updated for Tomcat
FTP has new "upload on save" feature

Creating projects
several ways
just create a project in your web root
by default, it choses a folder under the /Builder directory
can "promote" a folder that's not a project, TO a CFB project
need to apply a "CF Nature" so you can attach a CF server to that folder

Setting up a project...

Server Settings Popup
"Application Server" setting, can pick between JRun or Tomcat (new w/ CF10)

Don't enable RDS in a Production server
(??? since Production are the only boxes that need a serial #, can we somehow make it so that if you HAVE specified a serial # and marked a box as "Production", that it auto-disables RDS? and then if i really WANT to undo that, i have to jump thru some hoops, so no one does it accidentally?)

Pick "dictionary" first (cf9, 10, etc)
then pick the server i connect to after that
???? -- if we flipped those...and picked a CF server first, couldn't that auto-pick the correct dictionary? based on what CF version that server is running?
that'd shave a little config off the "new project" process

For debugging... on CF server, need to turn on:
1. RDS Debugging
2. Line Debugging

Remote debugging
just slightly different than local debugging

To set a breakpoint, remember to click to the LEFT of the line-numbers, clicking to the right won't do anything.

Cyclic Code Assist
ctrl-space once = list of all the available variables/scopes
ctrl-space 2 times = list of all the methods available
..and it will keep going, giving you options for whatever is available at that point in your code

Really revamped all the Code Assist functionality
ORM Code Assist, for browsing files/dirs, relevant tags, etc.

Q: "how many people are using extension?"
...NO hands went up!

All the builder extensions are available on www.riaforge.org

Every version of CFB becomes more and more reliant on CF server
CF11 and CFB will be released together (tho technically she called them "Thunder" and "Splendor"). :)